syo401-3
Requiring technicians to report spyware infections is a step in which of the following?
Incident management
Which of the following is BEST carried out immediately after a security breach is discovered?
Incident management
Who should be contacted FIRST in the event of a security breach?
Incident response team
After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and identify the incident. 09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john 09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne 10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov 11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=ok Which of the following is the MOST likely reason why the incident response team is unable to identify and correlate the incident?
Incident time offsets were not accounted for.
Which of the following is the GREATEST security risk of two or more companies working together under a Memorandum of Understanding?
MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities.
The network administrator is responsible for promoting code to applications on a DMZ web server. Which of the following processes is being followed to ensure application integrity?
Application change management
A customer service department has a business need to send high volumes of confidential information to customers electronically. All emails go through a DLP scanner. Which of the following is the BEST solution to meet the business needs and protect confidential information?
Automatically encrypt impacted outgoing emails
Matt, a security analyst, needs to implement encryption for company data and also prevent theft of company data. Where and how should Matt meet this requirement?
Matt should implement DLP and encrypt the company database.
An incident response team member needs to perform a forensics examination but does not have the required hardware. Which of the following will allow the team member to perform the examination with minimal impact to the potential evidence?
Mounting the drive in read-only mode
Which of the following policies is implemented in order to minimize data loss or theft?
PII handling
Users can authenticate to a company's web applications using their credentials from a popular social media site. Which of the following poses the greatest risk with this integration?
Password breaches to the social media site affect the company application as well
Which of the following is the BEST approach to perform risk mitigation of user access control rights?
Perform routine user permission reviews.
Ann a technician received a spear-phishing email asking her to update her personal information by clicking the link within the body of the email. Which of the following type of training would prevent Ann and other employees from becoming victims to such attacks?
Personal Identifiable Information
Which of the following concepts is a term that directly relates to customer privacy considerations?
Personally identifiable information
Human Resources (HR) would like executives to undergo only two specific security training programs a year. Which of the following provides the BEST level of security training for the executives? (Select TWO).
Phishing threats and attacks Information security awareness Explanation: Phishing is a form of social engineering in which you ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. An email might look as if it is from a bank and contain some basic information, such as the user's name. Executives easily fall prey to phishing if they are not trained to lookout for these attacks.
During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware?
Preparation
The Chief Technical Officer (CTO) has tasked The Computer Emergency Response Team (CERT) to develop and update all Internal Operating Procedures and Standard Operating Procedures documentation in order to successfully respond to future incidents. Which of the following stages of the Incident Handling process is the team working on?
Preparation
Encryption of data at rest is important for sensitive information because of which of the following?
Prevents data from being accessed following theft of physical equipment
A security administrator is responsible for performing periodic reviews of user permission settings due to high turnover and internal transfers at a corporation. Which of the following BEST describes the procedure and security rationale for performing such reviews?
Review all user permissions and group memberships to ensure only the minimum set of permissions required to perform a job is assigned.
The security administrator is currently unaware of an incident that occurred a week ago. Which of the following will ensure the administrator is notified in a timely manner in the future?
Routine auditing
The system administrator has deployed updated security controls for the network to limit risk of attack. The security manager is concerned that controls continue to function as intended to maintain appropriate security posture. Which of the following risk mitigation strategies is MOST important to the security manager?
Routine audits
Which of the following are Data Loss Prevention (DLP) strategies that address data in transit issues? (Select TWO).
Scanning of outbound IM (Instance Messaging) Scanning of HTTP user traffic
Sara, a company's security officer, often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Sara should immediately implement which of the following?
Security awareness training
The method to provide end users of IT systems and applications with requirements related to acceptable use, privacy, new threats and trends, and use of social networking is:
Security awareness training.
Sara, an employee, tethers her smartphone to her work PC to bypass the corporate web security gateway while connected to the LAN. While Sara is out at lunch her PC is compromised via the tethered connection and corporate data is stolen. Which of the following would BEST prevent this from occurring again?
Security policy and threat awareness training.
In which of the following categories would creating a corporate privacy policy, drafting acceptable use policies, and group based access control be classified?
Best practice
Used in conjunction, which of the following are PII? (Select TWO).
Birthday Full name
The system administrator notices that their application is no longer able to keep up with the large amounts of traffic their server is receiving daily. Several packets are dropped and sometimes the server is taken offline. Which of the following would be a possible solution to look into to ensure their application remains secure and available?
Cloud computing Cloud computing means hosting services and data on the Internet instead of hosting it locally. There is thus no issue when the company's server is taken offline.
A security technician wishes to gather and analyze all Web traffic during a particular time period. Which of the following represents the BEST approach to gathering the required data?
Configure a proxy server to log all traffic destined for ports 80 and 443.
A user has received an email from an external source which asks for details on the company's new product line set for release in one month. The user has a detailed spec sheet but it is marked "Internal Proprietary Information". Which of the following should the user do NEXT?
Contact the help desk and/or incident response team to determine next steps
Which of the following security strategies allows a company to limit damage to internal systems and provides loss control?
Containment strategies
A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used?
Corrective
Several employees have been printing files that include personally identifiable information of customers. Auditors have raised concerns about the destruction of these hard copies after they are created, and management has decided the best way to address this concern is by preventing these files from being printed. Which of the following would be the BEST control to implement?
Data loss prevention
Which of the following is the primary security concern when deploying a mobile device on a network?
Data security
End-user awareness training for handling sensitive personally identifiable information would include secure storage and transmission of customer:
Date of birth
Which of the following describes the purpose of an MOU?
Define responsibilities of each party
Ann would like to forward some Personal Identifiable Information to her HR department by email, but she is worried about the confidentiality of the information. Which of the following will accomplish this task securely?
Encryption
Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing data in use?
Endpoint protection
What is the term for the process of luring someone in (usually done by an enforcement officer or a government agent)?
Enticement
Which of the following is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead?
Entrapment
The security officer is preparing a read-only USB stick with a document of important personal phone numbers, vendor contacts, an MD5 program, and other tools to provide to employees. At which of the following points in an incident should the officer instruct employees to use this information?
First Responder
An administrator wants to minimize the amount of time needed to perform backups during the week. It is also acceptable to the administrator for restoration to take an extended time frame. Which of the following strategies would the administrator MOST likely implement?
Full backups on the weekend and incremental during the week
Which of the following is the LEAST volatile when performing incident response procedures?
Hard drive
A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data. Which of the following types of interoperability agreement is this?
ISA/ Interconnection Security Agreement Explanation: an agreement between two organizations that have connected systems. The agreement documents the technical requirements of the connected systems
The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response?
Identification
Computer evidence at a crime is preserved by making an exact copy of the hard disk. Which of the following does this illustrate?
System image capture
In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO).
Take hashes Capture the system image
Which of the following is a best practice when a mistake is made during a forensics examination?
The examiner should document the mistake and workaround the problem.
A security administrator needs to update the OS on all the switches in the company. Which of the following MUST be done before any actual switch configuration is performed?
The request needs to be approved through the change management process.
Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due to some technical issues, ABC services wants to send some of Acme Corp's debug data to a third party vendor for problem resolution. Which of the following MUST be considered prior to sending data to a third party?
This may violate data ownership and non-disclosure agreements
Which of the following is the BEST reason to provide user awareness and training programs for organizational staff?
To reduce organizational IT risk
Which of the following assets is MOST likely considered for DLP?
USB mass storage devices
After an audit, it was discovered that the security group memberships were not properly adjusted for employees' accounts when they moved from one role to another. Which of the following has the organization failed to properly implement? (Select TWO).
User rights and permission reviews. Management controls over account management.
Various network outages have occurred recently due to unapproved changes to network and security devices. All changes were made using various system credentials. The security analyst has been tasked to update the security policy. Which of the following risk mitigation strategies would also need to be implemented to reduce the number of network outages due to unauthorized changes?
User rights and permissions review
An internal auditor is concerned with privilege creep that is associated with transfers inside the company. Which mitigation measure would detect and correct this?
User rights reviews Explanation: A privilege audit is used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of an organization. This means that a user rights review will reveal whether user accounts have been assigned according to their 'new' job descriptions , or if there are privilege creep culprits after transfers has occurred.
A forensic analyst is asked to respond to an ongoing network attack on a server. Place the items in the list below in the correct order in which the forensic analyst should preserve them.
When dealing with multiple issues, address them in order of volatility (OOV); always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone. Naturally, in an investigation you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. As an example, the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts. Order of volatility: --Capture system images as a snapshot of what exists ---look at network traffic and logs, capture any relevant video/screenshots/hashes, ---record time offset on the systems, talk to witnesses, and track total man-hours and expenses associated with the investigation.
A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was extracted. Which of the following incident response procedures is best suited to restore the server?
Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup.
A security administrator needs to image a large hard drive for forensic analysis. Which of the following will allow for faster imaging to a second hard drive?
dd in=/dev/sda out=/dev/sdb bs=4k
A system administrator is responding to a legal order to turn over all logs from all company servers. The system administrator records the system time of all servers to ensure that:
time offset can be calculated.
A company is trying to limit the risk associated with the use of unapproved USB devices to copy documents. Which of the following would be the BEST technology control to use in this scenario?
Data Loss Prevention (DLP)
An organization is recovering data following a datacenter outage and determines that backup copies of files containing personal information were stored in an unsecure location, because the sensitivity was unknown. Which of the following activities should occur to prevent this in the future?
Data classification
Which of the following helps to apply the proper security controls to information?
Data classification
Which of the following controls would prevent an employee from emailing unencrypted information to their personal email account over the corporate network?
DLP
The Chief Information Officer (CIO) is concerned with moving an application to a SaaS cloud provider. Which of the following can be implemented to provide for data confidentiality assurance during and after the migration to the cloud?
DLP policy
In which of the following steps of incident response does a team analyse the incident and determine steps to prevent a future occurrence?
Lessons learned
A security administrator plans on replacing a critical business application in five years. Recently, there was a security flaw discovered in the application that will cause the IT department to manually re-enable user accounts each month at a cost of $2,000. Patching the application today would cost $140,000 and take two months to implement. Which of the following should the security administrator do in regards to the application?
Accept the risk and continue to enable the accounts each month saving money
A recent intrusion has resulted in the need to perform incident response procedures. The incident response team has identified audit logs throughout the network and organizational systems which hold details of the security breach. Prior to this incident, a security consultant informed the company that they needed to implement an NTP server on the network. Which of the following is a problem that the incident response team will likely encounter during their assessment?
C. Record time offset
Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools?
Capture system image
To ensure proper evidence collection, which of the following steps should be performed FIRST?
Capture the system image
A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident?
Chain of custody
Computer evidence at a crime scene is documented with a tag stating who had possession of the evidence at a given time. Which of the following does this illustrate? evidence at a given time.
Chain of custody
The security manager received a report that an employee was involved in illegal activity and has saved data to a workstation's hard drive. During the investigation, local law enforcement's criminal division confiscates the hard drive as evidence. Which of the following forensic procedures is involved?
Chain of custody
Which of the following is the MOST important step for preserving evidence during forensic procedures?
Chain of custody
A security engineer is given new application extensions each month that need to be secured prior to implementation. They do not want the new extensions to invalidate or interfere with existing application security. Additionally, the engineer wants to ensure that the new requirements are approved by the appropriate personnel. Which of the following should be in place to meet these two goals? (Select TWO).
Change Control Policy Regression Testing Policy
Developers currently have access to update production servers without going through an approval process. Which of the following strategies would BEST mitigate this risk?
Change management
Which of the following MOST specifically defines the procedures to follow when scheduled system patching fails resulting in system outages?
Change management
Which of the following mitigation strategies is established to reduce risk when performing updates to business critical systems?
Change management
An employee recently lost a USB drive containing confidential customer data. Which of the following controls could be utilized to minimize the risk involved with the use of USB drives?
DLP; Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data.
After a number of highly publicized and embarrassing customer data leaks as a result of social engineering attacks by phone, the Chief Information Officer (CIO) has decided user training will reduce the risk of another data leak. Which of the following would be MOST effective in reducing data leaks in this situation?
Information Security Awareness
Which of the following security awareness training is BEST suited for data owners who are concerned with protecting the confidentiality of their data?
Information classification training
Joe, a security administrator, is concerned with users tailgating into the restricted areas. Given a limited budget, which of the following would BEST assist Joe with detecting this activity?
Install a camera and DVR at the entrance to monitor access.
Which of the following security account management techniques should a security analyst implement to prevent staff, who has switched company roles, from exceeding privileges?
Internal account audits
After a recent security breach, the network administrator has been tasked to update and backup all router and switch configurations. The security administrator has been tasked to enforce stricter security policies. All users were forced to undergo additional user awareness training. All of these actions are due to which of the following types of risk mitigation strategies?
Lessons learned
