SEC 110 ch 12
Which of the following are required to configure Event Subscription for event forwarding? (Select three.) -Create a Windows firewall exception for HTTP or HTTPS on all source computers. -Configure the destination log. Start Windows Remote Management service on both the source and collector computers. -Give the subscription a name. -Start Windows Event Collector service on collector computer. -Configure Runtime Status. -Create a filter.
-Create a Windows firewall exception for HTTP or HTTPS on all source computers. -Start Windows Remote Management service on both the source and collector computers. -Start Windows Event Collector service on collector computer.
Your network performs a full backup every night. Each Sunday, the previous night's backup tape is archived. On a Wednesday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data? 1 2 3 4 5 6
1 You would need to perform a single restore procedure. You would simply restore the last full backup from Wednesday to restore all of the data.
Your network uses the following backup strategy: Full backups every Sunday night Incremental backups Monday night through Saturday night On a Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data? 1 2 3 4 5
4 --------------------- You would need to perform four restore procedures: Restore the full backup from Sunday Restore the incremental backup from Monday Restore the incremental backup from Tuesday Restore the incremental backup from Wednesday
Which of the following describes a system image backup? (Select two.) A system image includes only specified files and folders backed up to a compressed file. A system image backup consists of an entire volume backed up to .vhd files. A system image only contains the operating system, installed programs, drivers, and user profile settings. A system image does not include operating system files, program files, encrypted files, files in the Recycle Bin, user profile settings, or temporary files. A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files.
A system image backup consists of an entire volume backed up to .vhd files. A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files.
Which of the following components are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range? Trends Sensors Dashboard Alerts
Alerts
Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis? Security log Firewall log Network log Application log
Application log
Which of the following is an important aspect of evidence-gathering? -Back up all log files and audit trails. -Purge transaction logs. -Restore damaged data from backup media. -Monitor user access to compromised systems.
Back up all log files and audit trails.
Which of the following is true of an incremental backup's process? Backs up all files with the archive bit set and resets the archive bit. Backs up all files regardless of the archive bit and does not reset the archive bit. Backs up all files regardless of the archive bit and resets the archive bit. Backs up all files with the archive bit set and does not reset the archive bit.
Backs up all files with the archive bit set and resets the archive bit.
You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management. Which of the following documents should you create for this purpose? -Business continuity plan -Incident-response team charter -Communication plan -Disaster recovery plan
Business continuity plan
You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this? Chain of custody CPS (certificate practice statement) Rules of evidence FIPS-140
Chain of custody
Which of the following network strategies connects multiple servers together so that if one server fails, the others immediately take over its tasks, preventing a disruption in service? Adapter bonding Clustering Mirroring Storage Area Networks (SANs)
Clustering
Which of the following is a recovery site that may have electricity connected, but there are no servers installed and no high-speed data lines present? Correct Answer: Hot site Correct Answer: Warm site Correct Answer: Reciprocal agreement Correct Answer: Cold site
Cold site
You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you use them in the future? -Encrypt the logs. -Make two copies of each log and store each copy in a different location. -Store the logs in an offsite facility. -Create a hash of each log.
Create a hash of each log. ------------------------ Use a hash to verify that the contents of a log have not been altered. When you analyze the logs, take another hash and compare the new hash to the original one. If the hashes match, the logs have not been altered. Storing logs offsite makes them harder to access and alter, and this prevents a disaster at your main location from destroying the logs. Encrypting the logs protects the log confidentiality but does not prevent them from being altered, nor can it prove that the logs have not been altered. Creating two copies of the logs ensures that a single disaster does not destroy the logs. Comparing both logs to make sure they match does not guarantee that someone didn't alter both copies. In addition, if a disaster destroys one copy of the logs, you would not have a way to verify that the remaining copy has not been altered.
You suspect cache poisoning or spoofing has occurred on your network. Users are complaining of strange web results and being redirected to undesirable sites. Which log would help you determine what is going on? Application logs Security logs DNS logs Network logs
DNS logs You would take a look at the DNS logs for DNS cache poisoning. After this, you can begin monitoring DNS query traffic.
Which of the following BEST describes a constant? -Data or a value that does not change. -A sequence of characters. -A named unit of data that is assigned a value. -A group of related data values or elements.
Data or a value that does not change.
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence? -Disconnect the access point from the network. -See who is connected to the access point and attempt to find the attacker. -Connect to the access point and examine its logs for information. -Run a packet sniffer to monitor traffic to and from the access point.
Disconnect the access point from the network. The first step in responding to an incident is to take actions to stop the attack and contain or limit the damage.
You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first? -Document what is on the screen. -Stop all running processes. -Remove the hard drive. -Turn off the system.
Document what is on the screen.
You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription? Event Viewer Local Group Policy Computer Management Device Manager
Event Viewer
You want to allow RDP 3389 traffic into your network for a group of users to access a particular workstation that has a special application in your office. Which endpoint security tool would you use to make this happen? Data monitoring apps Content filters URL filters Firewall rules
Firewall rules
You have been asked to deploy a network solution that includes an alternate location where operational recovery is provided within minutes of a disaster. Which of the following strategies would you choose? Hot spare Hot site Cold site Warm site
Hot site
A conditional statement that selects the statements to run depending on whether an expression is true or false is known as which of the following? If statement If else statement Else statement Else if statement
If else statement
You need to limit a compromised application from causing harm to other assets in your network. Which strategy should you employ? SOAR Segmentation Isolation Containment
Isolation
Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents. Which tool would you use to gather this information? Legal hold Chain of custody Timestamps Timeline of events
Legal hold
As a security analyst, you have discovered the victims of an malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims?(2 answers) -Cyber Kill Chain -Disaster recovery plan -Implement appropriate stakeholder management -Mitre Att@cks -Diamond Model of Intrusion Analysis
Mitre Att@cks Diamond Model of Intrusion Analysis ----------------------
To prevent server downtime, which of the following components should be installed redundantly in a server system? Correct Answer: Floppy disk drive Correct Answer: CD or DVD drive Correct Answer: Power supply Correct Answer: RAM modules
Power supply
What does the hashing of log files provide? -Prevention of the system running when the log files are full -Prevention of log files being altered or overwritten -Sequencing of files and log entries to recreate a timeline of events -Confidentiality to prevent unauthorized reading of the files -Proof that the files have not been altered
Proof that the files have not been altered
!= or <> refers to Not Equal in which scripting language? PuTTY Bash Python PowerShell
Python
You need to limit the impact of a security breach for a particular file server with sensitive company data. Which strategy would you employ? Isolation Containment Segmentation SOAR
Segmentation --------------------- You would choose segmentation. You can segment using VLANs, software-defined networks, switches, subnetting, or even physical segmentation.
You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ? Source-initiated Event forwarding HTTP or HTTPS Collector-initiated
Source-initiated
Which TWO types of service accounts must you use to set up event subscriptions? Collector computer account Specific user service account Default machine account Network server machine account Local event administrators account
Specific user service account Default machine account ------------------------ You would choose a default machine account and specific user service account. Either type of account must be a member of either the Source Computers Event Log Readers group (the most secure choice) or a member of the Local Administrators group.
What is the purpose of audit trails? To correct system problems. To prevent security breaches. To detect security-violating events. To restore systems to normal operations.
To detect security-violating events. ------------------------ Auditing itself is used to prevent security breaches, and audit trails are used for detective control.
Why should backup media be stored offsite? To comply with government regulation To prevent the same disaster from affecting both the network and the backup media To reduce the possibility of theft To improve the efficiency of the restoration process
To prevent the same disaster from affecting both the network and the backup media
Daily backups are completed at the ABD company location, and only a weekly backup is maintained at another network location. Which of the following disaster recovery strategies is ABD using? Warm site Hot spare Cold site Hot site
Warm site
Which log file type is one of the most tedious to parse but can tell you exactly when users log onto your site and what their location is? Event logs Web server logs Authentication logs System logs
Web server logs
You are worried about email spoofing. What can be put throughout an email's header that provides the originating email account or IP address and not a spoofed one? Timestamp X-headers Data points Metadata
X-headers
For some reason, when you capture packets as part of your monitoring, you aren't seeing much traffic. What could be the reason? -Your machine is set to only capture HTTP packets. -You forgot to turn on promiscuous mode for the network interface. -Your NIC is set to broadcasting instead of receiving. -You have multiple MAC addresses associated with one NIC.
You forgot to turn on promiscuous mode for the network interface. ------------------------- The most likely reason is that you forgot to turn on promiscuous mode for your network interface. Turning on promiscuous mode gives the interface permission to grab every frame that comes its way, even if the frame is addressed to someone else.
Your browser has blocked your from your crucial secure intranet sites. What could be the problem? -You are using HTTP instead of HTTPS. -Your SSL certificate status has been revoked. -The firewall administrator set up a rule that blocked the users. -You misconfigured a content filter.
Your SSL certificate status has been revoked. ------------------------- Many browsers block websites with invalid certificates.
You need to find the text string New Haven in 100 documents in a folder structure on a Linux server. Which command would you use? grep tail head chmod
grep
You would like to add some entries into the system log file. Which command would you use? grep logger cat chmod
logger
A forensic investigator gathers potential evidence from many software, hardware, and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of said data. Place the following items in the correct order of volatility in the gathering of potential evidence. *swap/page file *remote logs *archived data *random access memory (RAM) *hard drive
1=Random Access Memory (RAM) 2=Swap/page file 3=Hard drive 4=Remote logs 5=Archived data
Your network uses the following backup strategy: Full backups every Sunday night Differential backups Monday night through Saturday night On Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data? 1 2 3 4 5
2 You would need to perform two restore procedures: Restore the full backup from Sunday Restore the differential backup from Wednesday
You have been asked to implement a RAID 5 solution for your network. What is the minimum number of hard disks that can be used to configure RAID 5? 2 3 4 5 6
3
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next? Deploy new countermeasures. Back up all logs and audits regarding the incident. Update the security policy. Restore and repair any damage.
Back up all logs and audits regarding the incident. ---------------------- The first step after an intrusion is to retain the documentation about the incident. Making backups of the logs and audits ensures that future investigations have sufficient information regarding the incident
What is the most important element related to evidence in addition to the evidence itself? Chain of custody document Witness testimony Completeness Photographs of the crime scene
Chain of custody document
You are configuring a source-initiated subscription on the collector computer in Event Viewer. Which of the following do you need to specify? Content filter Computer group System log Computer
Computer group
You have detected and identified a security event. What's the first step you should complete? Containment Segmentation Playbook Isolation
Containment
You would like to make sure users are not accessing inappropriate content online at work. Which endpoint security strategy would you employ? Content filtering Firewall rules Mobile device management (MDM) URL filters
Content filtering ----------------------- Firewall rules usually pertain to data, not necessarily inappropriate content. URL filters are for whitelisting and blacklisting sites. They are not used for filtering content.
How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence? -Create a checksum using a hashing algorithm -Write a log file to the media -Reset the file attributes on the media to read-only -Enable write protection
Create a checksum using a hashing algorithm ------------------------ In the future, the same hashing algorithm can be used to create another checksum. Then the two values are compared. If the checksums are identical, the media was not altered.
You have a computer with three hard disks. A RAID 0 volume uses space on Disk 1 and Disk 2. A RAID 1 volume uses space on Disk 2 and Disk 3. Disk 2 fails. Which of the following is true? Data on the RAID 0 volume is accessible; data on the RAID 1 volume is not. Data on both volumes is not accessible. Data on both volumes is still accessible. Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not.
Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not. ------------------------ In this scenario, Disk 2 is shared between both volumes. If Disk 2 fails, the RAID 1 volume is still accessible because RAID 1 (mirrored) volumes can sustain the loss of a single disk. The data on the RAID 0 volume is not accessible. RAID 0 uses striping, which distributes the data evenly between multiple disks. If a single disk fails, the entire volume is lost.
You set up Event Subscription, but you are getting an overwhelming amount of events recorded. What should you do? -Use the Runtime Status link -Use the default machine account -Choose the correct subscription type -Define a filter
Define a filter
When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence? -Stop all running processes. -Document what is on the screen. -Remove the hard drive. -Turn off the system.
Document what is on the screen.
You suspect a bad video driver is causing a user's system to randomly crash and reboot. Where would you go to identify and confirm your suspicions? Application logs Syslog SIP logs Dump files
Dump files --------------------- You would choose dump files. Dump files are created when an application, OS, or other computer function stops abruptly. These files help IT admins perform root-cause analysis and can also give clues as to the crash's origin. This could be something as commonplace as a bad driver or hardware component. Or, unfortunately, it may prove to be the result of a malicious act.
You would like to get a feel for the amount of bandwidth you are using in your network. What is the first thing you should do? Establish a baseline. Choose a protocol. Set intervals. Create data points.
Establish a baseline.
By default, events received from the source computers in Event Subscription are saved in which log? Application log Forwarded Events log Security log System log
Forwarded Events log
Which backup strategy backs up all files from a computer's file system, regardless of whether the file's archive bit is set or not, and then marks them as backed up? Copy Incremental Full Differential
Full
For source-initiated subscriptions, which tool do you use to configure event forwarding? Event Viewer Filter settings Group Policy Service account
Group Policy
Which method can you use to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence? Hashing Photographs File directory listing Serial number notation
Hashing
The chain of custody is used for which purpose? -Detailing the timeline between creation and discovery of evidence -Retaining evidence integrity -Identifying the owner of the evidence -Listing people coming into contact with the evidence
Listing people coming into contact with the evidence
Match each network sniffing method with the correct definition. MAC spoofing MAC flooding ARP poisoning port mirroring ------------------------------- The MAC address of the attacker can be associated with the IP address of another host. Creates a duplicate of all network traffic on a port and sends it to another device. Allows an attacker's computer to connect to a switch using an authorized MAC address. The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.
MAC spoofing Allows an attacker's computer to connect to a switch using an authorized MAC address. MAC flooding The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address. ARP poisoning The MAC address of the attacker can be associated with the IP address of another host. Port mirroring Creates a duplicate of all network traffic on a port and sends it to another device.
As a security analyst, you are configuring your environment to be able to properly gather digital forensic information. Which of the following must be set up to help create a timeline of events? -Make sure all client computers have their time set accurately by a time server. -Create a report template that helps you describe the incident, how the evidence was analyzed, and the conclusions you came to. -Create tags for all your IT assets so that they are easily identifiable and trackable. -Create a solid chain of custody that proves that no evidence-tampering has occurred.
Make sure all client computers have their time set accurately by a time server.
As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it? -Mitre Att@ck -Cyber Kill Chain -Diamond Model of Intrusion Analysis -Communication plan with stakeholders
Mitre Att@ck ----------------------- The Diamond Model of Intrusion Analysis defines adversary, victim, capabilities, and infrastructure. This model does not consider attacks other companies have experienced.
You need to remotely wipe an android phone for one of your rogue users. Which endpoint tool would you use? Quarantining Mobile device management (MDM) Mobile application management (MAM) MAM-WE
Mobile device management (MDM) ---------------------- You would choose mobile device management (MDM). MDM offers a way to easily monitor and manage mobile devices. This includes updates, data encryption, and remote wipes of a compromised device.
Which of the following are backed up during an incremental backup? Only files that have changed since the last full or incremental backup. Only files that have changed since the last full or differential backup. Only files that are new since the last full or incremental backup. Only files that have changed since the last full backup.
Only files that have changed since the last full or incremental backup. ------------------------ An incremental backup only captures files that have changed since the last full or incremental backup. The primary attraction to this backup plan is that it requires less storage space and processing time to complete.
Which of the following BEST describes PuTTy? -A mechanism that allows you to interact with the operating system directly. -A programming language for a special runtime environment that automates the execution of tasks. -A method that provides an encryption standard that's widely used by internet websites. -Open-source software that is developed and supported by a group of volunteers.
Open-source software that is developed and supported by a group of volunteers.
Your disaster recovery plan calls for backup media to be stored at a different location. The location is a safe deposit box at the local bank. Because of this, the disaster recovery plan specifies that you choose a method that uses the least amount of backup media, but also allows you to quickly back up and restore files. Which backup strategy would BEST meet the disaster recovery plan? Perform a full backup once per week and an incremental backup the other days of the week. Perform a full backup each day of the week. Perform a full backup once per month and an incremental backup the other days of the month. Perform a full backup once per week and a differential backup the other days of the week. Perform a full backup once per year and a differential backup for the rest of the days in the year.
Perform a full backup once per week and a differential backup the other days of the week.
Which of the following disk configurations might sustain losing two disks? (Select two.) RAID 0+1 RAID 5 RAID 0 RAID 1+0 RAID 1
RAID 1+0
Which of the following drive configurations is fault tolerant? Expanded volume set Disk striping RAID 0 RAID 5
RAID 5
What is the primary security feature that can be designed into a network's infrastructure to protect and support availability? Switches instead of hubs Redundancy Periodic backups Fiber optic cables
Redundancy
A system failure has occurred. Which of the following restoration processes would result in the fastest restoration of all data to its most current state? Restore the full backup and the last incremental backup Restore the full backup and all incremental backups Restore the full backup and all differential backups Restore the full backup and the last differential backup
Restore the full backup and the last differential backup
You want to set up a collector-initiated environment for event subscriptions. Which commands would you run? (Select two.) Run winrm qc -q on the collector computer. Run winrm qc /q on the collector computer. Run wecutil qc /q on the source computer Run winrum qc -q on the source computer. Run wecuitl qc on the collector computer. Run wecutil qc on the source computer
Run winrum qc -q on the source computer. Run wecuitl qc on the collector computer.
You would like to enhance your incident-response process and automate as much of it as possible. Which of the following elements would you need to include? (Select two.) Blacklisting Runbooks Whitelisting Playbooks Quarantining
Runbooks Playbooks ------------------------ You would choose runbooks and playbooks. Runbooks are a condition-based series of protocols you can use to establish automated processes for security-incident response. A playbook is a checklist style document that specifies the steps to be taken in response to a threat or incident. The steps are listed in the order to be performed. A playbook ensures a consistent approach to security issues.
For some reason, your source computers are not communicating properly with the collector. Which tool would you use to verify communications? Run wecutil qc Run winrm qc -q Runtime Status Event Viewer System log
Runtime Status -------------------------- You would choose Runtime Status to verify communications after you have created a subscription.
As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use? SOAR MDM MAM GDPR
SOAR
Which of the following is a standard for sending log messages to a central logging server? OVAL Syslog LC4 Nmap
Syslog ------------------------- Syslog is a protocol that defines how log messages are sent from one device to a logging server on an IP network. The sending device sends a small text message to the syslog receiver (the logging server).
Over the past few days, a server has gone offline and rebooted automatically several times. You would like to see a record of when each of these restarts has occurred. Which log type should you check? System Firewall Performance Security
System --------------------- A performance log records information about the use of system resources, such as the processor, memory, disk, or network utilization.
You would like to simulate an attack on your network so you can test defense equipment and discover vulnerabilities in order to mitigate risk. Which tool would you use to simulate all the packets of an attack? Etherflood TCPDump TCPReplay Wireshark
TCPReplay
You are concerned that an attacker can gain access to your web server, make modifications to the system, and alter the log files to hide his or her actions. Which of the following actions would best protect the log files? -Use syslog to send log entries to another server. -Take a hash of the log files. -Encrypt the log files. -Configure permissions on the log files to prevent access.
Use syslog to send log entries to another server. -------------------------- The best protection is to save log files to a remote server. In this way, compromise of a system does not provide access to the log files for that system.
What is the best definition of a security incident? Violation of a security policy Compromise of the CIA Interruption of productivity Criminal activity
Violation of a security policy
This application endpoint-protection rule implicitly denies unless added to the rule. Which of the following processes describes this? Quarantining Blacklisting Whitelisting Content filtering
Whitelisting
You would like to see only the last 15 lines of /home/user/logfile on your Linux machine. Which command line interface (CLI) command would you use? head -n 15 /home/user/logfile tail -f /home/user/logfile cat -n 15 /home/user/logfile tail -n 15 /home/user/logfile
tail -n 15 /home/user/logfile