Security+ Chapter 14 Questions
Hitesh wants to keep a system online but limit the impact of the malware that was found on it while an investigation occurs. What method from the following list should he use? A. Containment B. Isolation C. Segmentation D. Black holing
A
Chris has turned on logon auditing for a Windows system. Which log will show them? A. The Windows Application log B. The Windows Security log C. The Windows System log D. All of the above
B
Ian has been receiving hundreds of false positive alerts from his SIEM every night when scheduled jobs run across his datacenter. What should he adjust on his SIEM to reduce the false positive rate? A. Trend analysis B. Sensitivity C. Correlation rules D. Dashboard configuration
B
Mark unplugs the network connection from a system that is part of an incident and places tape over its Ethernet jack with a sign that says "Do not reconnect without approval from IR team." How is this method best described? A. Containment B. Isolation C. Segmentation D. Zoning
B
Megan's organization uses the Diamond Model of Intrusion Analysis as part of their incident response process. A user in Megan's organization has discovered a compromised system. What core feature would help her determine how the compromise occurred? A. Adversary B. Capability C. Infrastructure D. Victim
B
Selah is following the Cyber Kill Chain model and has completed the delivery phase. What step is next according to the Kill Chain? A. Weaponization B. Exploitation C. Installation D. Actions on Objective
B
Gwen is building her organization's documentation and processes and wants to create the plan for what the organization would do if her datacenter burned down. What type of plan would typically cover that type of scenario? A. An incident response plan B. A business continuity plan C. A disaster recovery plan D. A stakeholder management plan
C
Henry wants to check to see if services were installed by an attacker. What commonly gathered organizational data can he use to see if a new service appeared on systems? A. Registry dumps from systems throughout his organization B. Firewall logs C. Vulnerability scans D. Flow logs
C
Jim wants to view log entries that describe actions taken by applications on a CentOS Linux system. Which of the following tools can he use on the system to view those logs? A. logger B. syslog-ng C. journalctl D. tail
C
Madhuri wants to check a PNG-formatted photo for GPS coordinates. Where can she find that information if it exists in the photo? A. In the location.txt file appended to the PNG B. On the original camera C. In the photo's metadata D. In the photo as a steganographically embedded data field
C
Michael wants to log directly to a database while also using TCP and TLS to protect his log information and to ensure it is received. What tool should he use? A. syslog B. rsyslog C. syslog-ng D. journalctl
C
What tool is specifically designed to support incident responders by allowing unified, automated responses across an organization? A. IPS B. COOP C. SOAR D. IRC
C
Which team member acts as a primary conduit for senior management on an IR team? A. Communications and public relations B. Information security C. Management D. Technical expert
C
Alyssa wants to prevent a known Microsoft Word file from being downloaded and accessed on devices she is responsible for. What type of tool can she use to prevent this? A. An allow list tool B. A COOP C. A SIEM D. A deny list tool
D
As part of their yearly incident response preparations, Ben's organization goes through a sample incident step by step to validate what each person will do in the incident. What type of exercise is this? A. A checklist exercise B. A simulation C. A tabletop exercise D. A walk-through
D
Susan has discovered that an incident took place on her network almost six months ago. As she prepares to identify useful data for the incident, which common policy is most likely to cause her difficulties during her investigation? A. Configuration standards B. Communication policies C. Incident response policies D. Retention policies
D
The following figure shows the Security+ incident response cycle. What item is missing? (it is a circle) 1. X 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned (back to 1) A. Planning B. Reporting C. Monitoring D. Preparation
D
What is the primary concern with SFlow in a large, busy network? A. It may allow buffer overflow attacks against the collector host B. SFlow is not designed for large or complex networks C. SFlow puts extreme load on the flow collector host D. SFlow samples only network traffic, meaning that some detail will be lost
D
What phase in the incident response process leverages indicators of compromise and log analysis as part of a review of events? A. Preparation B. Containment C. Eradication D. Identification
D
Which of the following is not one of the four phases in COOP? A. Readiness and preparedness B. Activation and relocation C. Continuity of operations D. Documentation and reporting
D