Security+ Section 12.1.5 Quiz
Which of the following is an important aspect of evidence-gathering? Monitor user access to compromised systems. Back up all log files and audit trails. Restore damaged data from backup media. Purge transaction logs.
Back up all log files and audit trails. - When gathering evidence, it is important to make backup copies of all log files and audit trails. These files help reconstruct the events leading up to the security violation. They often include important clues to the intruder's identity.
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next? Restore and repair any damage. Back up all logs and audits regarding the incident. Update the security policy. Deploy new countermeasures.
Back up all logs and audits regarding the incident. - The first step after an intrusion is to retain the documentation about the incident. Making backups of the logs and audits ensures that future investigations have sufficient information regarding the incident. If you were unable to discover the identity of the perpetrator or means of attack, future review of the evidence or comparison with other incidents may reveal important details or patterns.
You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management. Which of the following documents should you create for this purpose? Incident-response team charter Business continuity plan Disaster recovery plan Communication plan
Business continuity plan - You would make a business continuity plan. More detailed and longer than a disaster recover plan, a business continuity plan has procedures and policies for each business unit. The policies and procedures are written by each business unit with guidelines from corporate management. This document includes organizational charts, phone lists, order of restore, and vendor contact information.
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence? Run a packet sniffer to monitor traffic to and from the access point. Connect to the access point and examine its logs for information. Disconnect the access point from the network. See who is connected to the access point and attempt to find the attacker.
Disconnect the access point from the network. - The first step in responding to an incident is to take actions to stop the attack and contain or limit the damage. For example, if an attack involves a computer system attached to the network, the first step might be to disconnect the system from the network. Although you want to preserve as much information as possible to assist in later investigations, it might be better to stop the attack, even if doing so alerts the attacker or results in the loss of evidence regarding the attack. After containing a threat, a forensic investigation can be performed on computer systems to gather evidence and identify the methods used in the attack.
When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence? Turn off the system. Document what is on the screen. Remove the hard drive. Stop all running processes.
Document what is on the screen - Preserving evidence while conducting a forensic investigation is a trade-off. Any attempt to collect evidence may actually destroy the very data necessary to identify an attack or attacker. Of the choices given, documenting what is on the screen is the least intrusive and the least likely to destroy critical evidence. Halting, disassembling, or stopping running processes may erase the data you need to track the intruder.
You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first? Remove the hard drive. Stop all running processes. Turn off the system. Document what is on the screen.
Document what is on the screen - Preserving evidence while conducting a forensic investigation is a trade-off. Any attempt to collect evidence may actually destroy the very data necessary to identify an attack or attacker. Of the choices given, documenting what's on the screen is the least intrusive and the least likely to destroy critical evidence. Halting, disassembling, or stopping running processes may erase the data you need to track the intruder.
As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it? Diamond Model of Intrusion Analysis Mitre Att@ck Communication plan with stakeholders Cyber Kill Chain
Mitre Att@ck - You would use the Mitre Att@ck framework. This is a universally accessible, free database that contains techniques, tactics, and other operational information about malicious actors.
As a security analyst, you have discovered the victims of an malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims? Implement appropriate stakeholder management Disaster recovery plan Cyber Kill Chain Mitre Att@cks Diamond Model of Intrusion Analysis
Mitre Att@cks Diamond Model of Intrusion Analysis - You would choose the Diamond Model of Intrusion Analysis and use the Mitre Att@cks database to help you. For example, by identifying the types of victims and why they were attacked, the analyst/first responder can make an educated guess as to who is behind the attack and who are potential victims. This information can then be used to compare information in the Mitre Att@cks database. Since there are always unknowns, the database helps to fill in some of them.
What is the purpose of audit trails? To prevent security breaches. To detect security-violating events. To correct system problems. To restore systems to normal operations.
To detect security-violating events. - The purpose of audit trails is to detect security-violating events or actions. Auditing itself is used to prevent security breaches, and audit trails are used for detective control. Neither auditing nor audit trails correct problems or restore systems to normal operations. That is done by the IT staff that inspects the contents of audit trails and creates a solution that is then implemented into the environment via the security policy.
What is the best definition of a security incident? Criminal activity Violation of a security policy Interruption of productivity Compromise of the CIA
Violation of a security policy - The best definition of a security incident is a violation of a security policy.