Professer Messer Practice Tests Flash Cards

Question 1

Directive

Answer 1

Directive control types are guidelines offered to help direct a subject towards security compliance. Training users on the proper storage of sensitive files would be an example of a directive control.

Question 2

Compensating

Answer 2

A compensating control can’t prevent an attack, but it can provide an alternative when an attack occurs. For example, a compensating control would include the re-imaging of a compromised server.

Question 3

Deterrent

Answer 3

A deterrent discourages an intrusion attempt, but it doesn’t directly prevent the access. An application splash screen or posted warning sign would be categorized as a deterrent.

Question 4

Data owner

Answer 4

The data owner is accountable for specific data, so this person is often a senior officer of the organization

Question 5

Data controller

Answer 5

A data controller manages the processing of the data. For example, a payroll department would be a data controller, and a payroll servicing company would be the data processor.

Question 6

Data steward

Answer 6

The data steward manages access rights to the data. In this example, the IT team would be the data steward.

Question 7

Data processor

Answer 7

The data processor is often a third-party that processes data on behalf of the data controller.

Question 8

OSINT

Answer 8

OSINT (Open Source Intelligence) describes the process of obtaining information from open sources such as social media sites, corporate websites, online forums, and other publicly available locations.

Question 9

Exfiltration

Answer 9

Exfiltration describes the theft of data by an attacker.

Question 10

Active reconnaissance

Answer 10

Active reconnaissance would show some evidence of data gathering.
For example, performing a ping scan or DNS query wouldn’t exploit a vulnerability, but it would show that someone was gathering information.

Question 11

Escalation scripting

Answer 11

Scripting and automation can provide methods to automate or orchestrate the escalation response when a security issue is detected.

Question 12

Log aggregation

Answer 12

Log aggregation provides a method of centralizing evidence and log files for reporting and future analysis. The aggregated log does not inherently provide a response to a security event.

Question 13

Vulnerability scan

Answer 13

A vulnerability scan will identify any known vulnerabilities that may be associated with a system. However, a vulnerability scan will not identify real-time infections or automate the response.

Question 14

Due care

Answer 14

Due care describes a duty to act honestly and in good faith. Due diligence is often associated with third-party activities, and due care tends to refer to internal activities.

Question 15

Statement of work

Answer 15

A statement of work is often used during a professional services engagement to detail a list of specific tasks to complete. In this example, all of the work is part of an internal audit and does not include any mention of third-party professional services.

Question 16

Acceptance

Answer 16

Risk acceptance is a business decision that places the responsibility of the risky activity on the organization itself.

Question 17

Mitigation

Answer 17

If the organization was to purchase additional backup facilities and update their backup processes to include offline backup storage, they would be mitigating the risk of a ransomware infection.

Question 18

Transference

Answer 18

Purchasing insurance to cover a risky activity is a common method of transferring risk from the organization to the insurance company.

Question 19

Risk-avoidance

Answer 19

To avoid the risk of ransomware, the organization would need to completely disconnect from the Internet and disable all methods that ransomware might use to infect a system. This risk response technique would most likely not apply to ransomware.

Question 20

SCAP

Answer 20

The SCAP (Security Content Automation Protocol) is used as a common protocol across multiple security tools. SCAP is not used to provide an encrypted tunnel between two locations.

Question 21

Exposure factor

Answer 21

An exposure factor describes a loss of value to the organization. For example, a network throughput issue might limit access to half of the users, creating a 50% exposure factor. A completely disabled service would calculated as a 100% exposure factor.

Question 22

Risk tolerance

Answer 22

Risk tolerance describes the amount of risk that would be acceptable to an organization. For example, an organization may tolerate the risk involved with a delay so that patches can be tested prior to deployment.

Question 23

Environmental variables

Answer 23

An environmental variable is considered when prioritizing patches and security responses. For example, a device in the production network environment will probably have priority over the devices in a test lab environment.

Question 24

ICS

Answer 24

ICS (Industrial Control Systems) devices are large industrial systems and usually involve manufacturing equipment or power generation equipment. A time clock would not be categorized as an ICS.

Question 25

NetFlow logs

Answer 25

NetFlow information can provide a summary of network traffic, application usage, and details of network conversations. The NetFlow logs will show all conversations from this device to any others in the network.

Question 26

Embedded system

Answer 26

An embedded system often does not provide access to the OS and may not provide a method of upgrading the system firmware.

Question 27

TPM

Answer 27

TPM (Trusted Platform Module) is part of a computer’s motherboard, and it’s specifically designed to assist and protect with cryptographic functions. Full disk encryption (FDE) can use the burned-in TPM keys to verify the local device hasn’t changed, and there are security features in the TPM to prevent brute-force or dictionary attacks against the full disk encryption login credentials.

Question 28

Incident Response Plan

Answer 28

Preparation - The preparation phase includes all of the work prior to the incident. This may include collecting hardware, installing software, gathering documentation, and managing incident response policies.
Detection - The detection phase includes any method of identifying and determining an incident may be actively occurring. This process also includes identifying a legitimate threat and not a false positive.
Analysis - The analysis phase provides detailed evidence for a security incident. Alarms, alerts, reports, and other feedback can be categorized as analysis.
Containment - Once an incident has been identified, it’s important to prevent the potential spread of any malicious code.
Eradication - Removing any malicious software and patching any vulnerabilities would be part of the eradication process.
Recovery -The recovery phase often includes rebuilding systems and replacing any compromised data.
Lessons learned - After the event is over, it’s useful to document the process and discuss how the incident response process could be more efficient if a similar event occurs in the future.