Security + 13 / Disaster Recovery and Business Continuity
Which storage area network term describes a host using more than one physical path to gain access to shared network storage? A. Multipathing B. App load balancing C. RAID 0 D. RAID 1
A. Multipathing
How many steps are involved in the forensic investigation process? 6 5 7 3
7
You are an IT network architect. Your firm has been hired to perform a network security audit for a shipping company. One of the company's warehouses has a server room containing one Windows server and two Linux servers. After interviewing the server administrators, you learn they have no idea what to do if the Linux servers cease to function. What is needed here? A. Disaster recovery plan B. Risk analysis C. Windows servers D. Server clustering
A. Disaster recovery plan
Windows Server backups are scheduled as follows: full backups on Saturdays at 3 A.M. and incremental backups weeknights at 9 P.M. Write verification has been enabled. Backup tapes are stored off site at a third-party backup vendor location. What should be done to ensure the integrity and confidentially of the backups? (Choose two.) A. Have a different person than the backup operator analyze each day's backup logs. B. Ensure the user performing the backup is a member of the Administrators group. C. Encrypt the backup media. D. Use SSL to encrypt the backup media.
A. Have a different person than the backup operator analyze each day's backup logs. C. Encrypt the backup media.
An airline company has hired you to ensure that its customer reservation system is always online. The software runs and stores data locally on the Linux operating system. What should you do? A. Install two Linux servers in a cluster. Cluster the airline software, with its data being written to shared storage. B. Install a new Linux server. Ensure that the airline software runs from the first server. Schedule airline data to replicate to the new Linux server nightly. C. Configure the Linux server with RAID 5. D. Configure the Linux server with RAID 1.
A. Install two Linux servers in a cluster. Cluster the airline software, with its data being written to shared storage. --- A. Clustering software between two servers will enable the customer reservation system to function even if one server fails, because the data is not stored within a single server; it exists on shared storage that both cluster nodes can access. When a cluster node (server) fails, the application fails over to a running cluster node (server). B, C, and D are incorrect. Scheduling nightly data replication does not ensure that the airline software is always online. Most cloud providers allow cloud-stored data to be replicated between locations separated by long distances. This prevents data loss or downtime resulting from a regional disaster. RAID 1 (mirroring) and RAID 5 (striping with distributed parity) are useless if the server fails.
Which of the following regarding disaster recovery are true? (Choose two.) A. Once the plan is complete, to save time it need never be revisited. B. Once the plan is complete, it must have management approval. C. The plan must evolve with the business. D. The plan should include only IT systems.
A. Once the plan is complete, to save time it need never be revisited. B. Once the plan is complete, it must have management approval.
You are creating a DRP for a small, independent car dealership. There are four employees who each use a desktop computer; there are no servers. All company data is stored on the four computers. A single high-speed DSL link is shared by all users. What are the best DRP solutions? (Choose two.) A. Store data in the cloud instead of locally. B. Ensure that employees know exactly what to do in the event of a disaster. C. Purchase faster desktops. D. Purchase a file server.
A. Store data in the cloud instead of locally. B. Ensure that employees know exactly what to do in the event of a disaster.
Identify the disaster recovery plan errors. (Choose two.) A. Perform a business impact analysis first. B. Base your DRP on an unchanged downloaded template. C. Data backups are never tested; it costs the company too much money. D. Keep existing backup solutions in place even though the software is two versions out of date.
B. Base your DRP on an unchanged downloaded template. C. Data backups are never tested; it costs the company too much money. --- B and C. Your DRP should be much more specific than what a downloaded template can provide. DRPs must be tested initially and periodically to ensure their efficiency and efficacy. A and D are incorrect. A DRP takes the business impact analysis into account. Backed-up software that is two versions out of date may still function correctly; often there are risks involved with immediately using the newest software.
A team leader assigns a server administrator the task of determining the business and financial effects that a failed e-mail server would have if it was down for two hours. What type of analysis must the server administrator perform? A. Critical systems and components identification B. Business impact analysis C. Security audit D. Risk assessment
B. Business impact analysis
You have configured your enterprise cloud storage so that it continuously replicates to a cloud provider data center in a different region. Replication to the secondary region occurs only after data is written to the primary storage. Which term best describes this resilience configuration? A. Synchronous replication B. Geographic service dispersal C. Dedicated circuit D. Load balancing
B. Geographic service dispersal
Your company is virtualizing DNS, DHCP, web, and e-mail servers at your location. Each of the four virtual machines will be spread out across two physical hosts. Virtual machines are using virtual hard disks, and these files exist on a SAN. Choose the best virtual machine backup strategy that will enable the quickest granular restore. A. Back up the virtual machine hard disks at the SAN level. B. Install a backup agent in each virtual machine and perform backups normally. C. Duplicate your SAN disk array so that backups are not necessary. D. Run all four virtual machines on the same physical host to be backed up. 18. To ensure confidentiality, what should you do when storing server backup disks
B. Install a backup agent in each virtual machine and perform backups normally. --- If granular restores are required, backing up each virtual machine using a backup agent installed in each VM is the best choice. A, C, and D are incorrect. Backing up the SAN means backing up virtual hard disks used by the virtual machines. This presents some difficulty if you must restore specific (granular) files. Backups are always necessary no matter what. If virtual hard disks are on a SAN, all four virtual machines do not have to be running on the same physical host.
A busy clustered web site regularly experiences congested network traffic. You must improve the web site response time. What should you implement? A. Ethernet switch B. Network load balancing C. Fibre Channel switch D. Proxy server
B. Network load balancing --- B. Network load balancing (NLB) can distribute network traffic to multiple servers hosting the same content to improve performance. In the cloud, load balancers can use autoscaling to add or remove virtual machines in response to application demand. A, C, and D are incorrect. Most networks already use Ethernet switches, but that has no effect on web site response time. Fibre Channel switches are used in a storage area network (SAN) environment, not local area networks (LANs) or wide area networks (WANs). A proxy server retrieves Internet content for clients and then optionally caches it for later requests; it would not improve performance here.
Your IT security team has worked with executive management to determine that a company e-commerce web site must never remain down for more than two hours. To which disaster recovery term does this apply? A. RPO B. RTO C. MTTR D. MTBF
B. RTO --- B. The recovery time objective (RTO) specifies the amount of time it will take after an unexpected failure for systems to resume normal operation. In other words, it denotes the amount of time an application can be non-operational without causing irreparable damage to the business. A, C, and D are incorrect. The recovery point objective (RPO) is the amount of time that can elapse after a failure before system and data resume normal operation; for example, a six-hour RPO means data backups can never be more than six hours old. Mean time to recovery (MTTR) measures the amount of time it takes to return a device, system, or network to normal functionality. Mean time between failures (MTBF) is the measure of time between each subsequent failure of a repairable device.
Which of the following are the most closely related to creating a disaster recovery plan? (Choose three.) A. Determining which class of IP addresses are in use B. Ranking risks C. Disabling unused switch ports D. Assigning recovery tasks to personnel E. Establishing an alternate location to continue business operations
B. Ranking risks D. Assigning recovery tasks to personnel E. Establishing an alternate location to continue business operations
As the IT director, you are comparing public cloud providers. Your company will no longer house on-premises mail or application servers. Which factors under your control must you consider to ensure that e-mail and applications are always available to users? A. Updates applied to cloud provider hypervisors B. Redundant network links C. RAID level used on cloud provider servers D. MTTF for cloud provider server hard disks
B. Redundant network links
You are the network administrator for a small IT consulting firm. All servers are hosted externally in the public cloud. After analyzing threats, creating a DRP, and receiving management approval, you e-mail a copy to all employees for their reference in the event of a disaster. Identify the most serious problem. A. The e-mail should have been encrypted. B. The DRP was not tested. C. The e-mail should have been digitally signed. D. Only executives should have received the message.
B. The DRP was not tested.
Which items should be considered when ensuring high availability for an e-commerce web site? (Choose two.) A. Use TPM to encrypt server hard disks. B. Use redundant Internet links. C. Use network load balancing. D. Upgrade the server CMOS to the latest version.
B. Use redundant Internet links. C. Use network load balancing. --- B and C. High availability makes a resource available as often as is possible. Redundant Internet links allow access to the web site even if one Internet link fails. Network load balancing (which could use the redundant Internet links) distributes traffic evenly either to server cluster nodes or through redundant network links.
Which of the following identifies the individuals to communicate with external entities? IT Contingency Plan Crisis Communication Plan Business Resumption Plan Continuity of Operations Plan (COOP)
Crisis Communication Plan
Your Windows server will no longer boot the operating system. No recent updates or configuration changes have been applied. What should you do first to attempt to resolve the problem? A. Revert to the last known good configuration. B. Reinstall the operating system. C. Boot from a Windows Server live media disk and attempt to repair the installation. D. Apply a corporate operating system image.
C. Boot from a Windows Server live media disk and attempt to repair the installation.
Your server tape backup routine consists of a full backup each Friday night and a nightly backup of all data changed since Friday's backup. What type of backup schedule is this? A. Full B. Full and incremental C. Full and differential D. Disk snapshot
C. Full and differential --- C. Differential backups will archive data that has changed since the last full backup. Restoring data means first restoring the full backup and then the latest differential. A full backup, when not used with differential backups, is also called a copy backup.
You are a web site administrator. You need to minimize web site downtime in the event of a disaster or security compromise. Which of the following terms best describes the reliability of hard disks? A. MTBF B. MTTF C. MTTR D. RPO
C. MTTR --- C. Mean time to recovery (MTTR) (also sometimes known as mean time to restore) measures the amount of time it takes to return a device, system, or network to normal functionality. A, B, and D are incorrect. Mean time between failures (MTBF) is the measure of time between each subsequent failure of a repairable device. Mean time to failure (MTTF) is a statistical measurement applied to non-repairable items such as hard disks. It denotes the average useful life of a device, given that a specific number of those devices are in use. The recovery point objective (RPO) is the amount of time that can elapse after a failure before system and data resume normal operation; for example, a six-hour RPO means data backups can never be more than six hours old. The recovery time objective (RTO) differs in that it denotes the amount of time it will take after an unexpected failure for systems to resume normal operation. Unlike RPO, it does not specify how old the data can be.
Which of the following plan focuses on malware, hackers, intrusions, attacks, and other security issues? Business Resumption Plan Crisis Communication Plan IT Contingency Plan Cyber Incident response plan
Cyber Incident response plan
Which configuration provides network traffic load balancing? A. Multipath B. UPS C. NIC teaming D. PDU
C. NIC teaming
You are the administrator for a recently patched virtual Windows Server running Active Directory Domain Services (AD DS). Recently the server has been randomly rebooting and now cannot boot at all. What should you do? A. Run Windows update. B. Format the hard disk, reinstall the server, and restore from tape. C. Refer to your DRP. D. Refer to your BCP.
C. Refer to your DRP.
Which of the following statements describes the core purpose of using Tcpdump? Identify the open ports Identify vulnerabilities in a system Capture data packets on a network Monitor network devices
Capture data packets on a network
Which type of evidence collection methods can be used when litigation might be needed? [Choose all that apply] Chain of custody Health insurance information Legal hold Medical records
Chain of custody Legal hold
What should be used to make informed decisions regarding your specific disaster recovery plan? A. DRP template freely downloaded from a web site B. ROI analysis C. TCO analysis D. Business impact analysis
D. Business impact analysis --- D. A business impact analysis identifies which risks will affect business operations more than others. This is valuable in determining how to recover from a disaster. A, B, and C are incorrect. Freely downloadable DRP templates are generic and will not address your specific business or IT configuration. Return on investment (ROI) determines the efficiency of an investment (is the cost justified?). Total cost of ownership (TCO) identifies the true cost of a product or service. Neither ROI nor TCO is tied directly to your DRP like a business impact analysis is.
You company backs up on-premises data using a tape backup system that also replicates backup data to the cloud. You need to back data up daily while minimizing backup storage capacity on local backup tapes. What should you do? A. Configure daily full backups. B. Configure weekly full backups with daily differential backups. C. Configure weekly incremental backups. D. Configure daily incremental backups.
D. Configure daily incremental backups. --- D. Daily incremental backups include only those items changed since the previous night's incremental backup and thus results in the least amount of daily backup data. A, B, and C are incorrect. Full backups each day will consume more storage space than daily incrementals. Differential backups include new and modified items since the last full backup and therefore take more storage space than daily incrementals. Weekly incrementals do not address the stated daily backup requirement.
You are the network administrator for a small IT consulting firm. All servers are located at the single site. Employees use a web browser to access their e-mail accounts. After testing the DRP and receiving management approval, you e-mail a copy to all employees for their reference in the event of a disaster. Identify the problem. A. The e-mail should have been encrypted. B. The e-mail should have been digitally signed. C. Only executives should have received the message. D. The mail server may not be available in the event of a disaster
D. The mail server may not be available in the event of a disaster --- D. The only copy of the disaster recovery plan exists on a mail server that users may not have access to when they need it most. Alternate storage locations and physical copies must be considered. A, B, and C are incorrect. Although encrypted and digitally signed e-mail is good practice, these answers are not problems in this scenario. A comprehensive DRP must be made available to applicable employees.
Your senior network administrator has decided that the five physical servers at your location will be virtualized and run on a single physical host. The five virtual guests are mission-critical and will use the physical hard disks in the physical host. The physical host has the hard disks configured with RAID 1. Identify the flaw in this plan. A. The physical server should be using RAID 5. B. The physical hard disks must not reside in the physical host. C. You cannot run five virtual machines on a physical host simultaneously. D. The physical host is a single point of failure.
D. The physical host is a single point of failure. --- D. If the single physical host experiences a failure, all five virtual machines will be unavailable. A second server should be clustered with the first, and virtual guests should use shared disk storage versus local disk storage. A, B, and C are incorrect. RAID 5 would not solve the problem of the disks being in a single server. Even if shared storage were used, the physical server would still be a single point of failure. Given enough hardware resources, many more than five virtual guests can run simultaneously on a virtualization server.
You are a cybersecurity administrator and have identified a suspicious account in your enterprise network. Which of the following is the best practice for handling such accounts? Delete the account permanently Disable the account Restrict the account from accessing the central database Move the account to different hardware
Disable the account
Which of the following tools is used for making a mirror image backup? GNU dd Winhex Autopsy memdump
GNU dd
Which of the following refers to a duplicate of the organization's current data center? Cold Site Temporary Site Warm Site Hot Site
Hot Site
What does the retention policy in an incident response plan define? Clear descriptions of the types and categories of incident definitions How long the evidence of the incident should be kept with the enterprise How and when internal and external constituents should be informed of the incident Who should get the information and when the security event has escalated to needing remediation
How long the evidence of the incident should be kept with the enterprise
Which of the following provides the plan for systems, networks, and major application recovery after disruptions? Business Resumption Plan Continuity of Operations Plan (COOP) IT Contingency Plan Crisis Communication Plan
IT Contingency Plan
Which of the following is a log management tool? Journalctl sFlow IPFIX Netflow
Journalctl
Which of the following tool would you use to scan a Web application for vulnerabilities? Nmap Nikto Maltego Urlcrazy
Nikto
Which team is dedicated only to incident response? Virtual Team Permanent Team Hybrid Team Temporary Team
Permanent Team
You are a cyber forensic expert who has been called out to collect and preserve evidence for a security breach in progress. Which of the following evidence should you preserve first? Remote logging and monitoring data Network topology RAM Hard drive contents
RAM
Blaise needs to create a document that is a linear-style checklist of required manual steps and actions needed to successfully respond to a specific type of incident. What does she need to create? a. ARC Codebook b. Playbook c. Runbook d. SIEM-book
b. Playbook
Which of the following hashing algorithm is the common standard used for generating digital signatures? MD5 RIPEMD SHA HMAC
SHA
An investigation after a security breach in your enterprise proved that the breach occurred after an anonymous phone call to your enterprise telephone network. Which of the following protocols is most likely responsible for the breach? sFlow IPFIX SIP Netflow
SIP Session Initiation Protocol (SIP) - is a signaling protocol used to create "sessions" between multiple participants and is widely found in voice telephony products. NetFlow - is a session sampling protocol feature on Cisco routers that collects IP network traffic. sFlow - is a packet sampling protocol that gives a statistical sampling instead of the actual flow of packets IPFIX (IP Flow Information Export) - is similar to NetFlow but with additional capabilities
Which of the following is a user or process accessing computer systems? Object Matter Operation Subject
Subject
In a Syslog implementation, which of the following component is an agent that collects the information from various devices and servers on the network? Syslog Analysis Syslog Collector Syslog Server Syslog Forwarder
Syslog Forwarder
Which of the following is NOT a problem associated with log management? a. Different log formats b. Time-stamped log data c. Multiple devices generating logs d. Large volume of log data
b. Time-stamped log data
You are a cybersecurity trainer, and the following are the objectives of an incident response plan listed by a student in a cybersecurity exam. Which of the following is a correct statement? To deceive the attackers To completely prevent an attack To avenge an attack To contain the spread of the attack
To contain the spread of the attack
Which type of incident response team is made up of experts who have other duties? Temporary Team Virtual Team Hybrid Team Permanent Team
Virtual Team
While performing digital forensics, which of the following should you investigate first? Volatile data Archival media Network topology Nonvolatile data
Volatile data
Which of the following contains all the required hardware and connectivity to restore services? Temporary Site Cold Site Warm Site Hot Site
Warm Site
Which of the following is a Linux utility that displays the contents of system memory? a. WinHex b. memdump c. Autopsy d. dd
b. memdump
Which type of access control scheme uses predefined rules that makes it the most flexible scheme? a. ABAC b. DAC c. MAC d. NAC
a. ABAC
Which of the following is the most fragile and should be captured first in a forensics investigation? a. CPU cache b. Kernel statistics c. ARP cache d. RAM
a. CPU cache
Which of the following should be performed in advance of an incident? a. Segmentation b. Capture c. Containment d. Isolation
a. Segmentation
Which of the following is a packet sampling protocol that gives a statistical sample instead of the actual flow of packets? a. sFlow b. IPFIX c. journalctl d. NetFlow
a. sFlow
Which of the following can be considered as Personally identifiable information? [Choose all that apply] Medical records Social Security number Health insurance information Driver's license number
all
Which of the following tasks can be performed by the NXLog tool? [Choose all that apply] Forward events Store events Classify events Correlate events
all Classify events Correlate events Store events Forward events Filter events Pattern matching Logfile rotation Scheduling
Which of the following is NOT part of the AAA framework? a. Accounting b. Access c. Authentication d. Authorization
b. Access
What is a platform used to provide telephony, video, and web conferences that can serve as an entry point to a threat actor? a. SIP b. Call manager c. VoIP d. IP voice
b. Call manager (platform) - voip (IP protocol) -SIP (protocol used to create "sessions")
Raul has been asked to serve as the individual to whom day-to-day actions have been assigned by the owner. What role is Raul taking? a. Data controller b. Data custodian/steward c. Data privacy officer d. Data processor
b. Data custodian/steward
Which statement about Rule-Based Access Control is true? a. It is considered a real-world approach by linking a user's job function with security. b. It requires that a custodian set all rules. c. It is no longer considered secure. d. It dynamically assigns roles to subjects based on rules.
b. It requires that a custodian set all rules
Which access control scheme is the most restrictive? a. Role-Based Access Control b. DAC c. MAC d. Rule-Based Access Control
c. MAC
Which of these is NOT an incident response process step? a. Lessons learned b. Recovery c. Reporting d. Eradication
c. Reporting --- Preparation Identify Containment Eradication Recovery Lessons learned
Cheryl has been asked to set up a user account explicitly to provide a security context for services running on a server. What type of account will she create? a. Privilege account b. User account c. Service account d. Generic account
c. Service account
What is the amount of time added to or subtracted from Coordinated Universal Time to determine local time? a. Greenwich Mean Time (GMT) b. Civil time c. Time offset d. Daylight savings time
c. Time offset
Which of these is a set of permissions that is attached to an object? a. Entity attribute (EnATT) b. SRE c. Object modifier d. ACL
d. ACL
What can be used to provide both filesystem security and database security? a. RBASEs b. CHAPs c. LDAPs d. ACLs
d. ACLs
Ella wants to research an attack framework that incorporates adversary, infrastructure, capability, and victim. Which of the following would she choose? a. Basic-Advanced Incident (BAI) Framework b. Mitre ATT&CK c. Cyber Kill Chain d. Diamond Model of Intrusion Analysis
d. Diamond Model of Intrusion Analysis
Which of the following is typically a monthly discussion of a scenario conducted in an informal and stress-free environment to evaluate an incident response plan? a. Simulation b. Walkthrough c. Incident Response Plan Evaluation (IRP-E) d. Tabletop
d. Tabletop
Which tool is an open source utility for UNIX devices that includes content filtering? a. syslog b. nxlog c. rsyslog d. syslog-ng
d. syslog-ng
You are investigating a cybercrime, and the attacked enterprise is running different resources in different operating systems. What should you use to analyzing logs in this scenario? nxlog journalctl syslog-ng rsyslog
nxlog
In an Email, which of the following are metadata? [Choose all that apply] Date Recipient Body of Email Subject Sender
sender recipient date subject