24 Flashcards
Which of the following answers refers to a U.S. government initiative that provides the details on how to ensure continued performance of essential functions during unexpected events?
** COOP **
Continuity of Operations (COOP) Plan
Which of the following terms refers to a group of experts designated to handle a natural disaster or an interruption of business operations?
** IRT **
Incident Response Teams.
A technology that enables real-time analysis of security alerts generated by network hardware and applications is known as:`
** SIEM **
Security information and event management
Which SIEM dashboard configuration setting provides a countermeasure against false positive/negative errors?
Sensitivity levels
A correlation engine used for processing various types of log data into an actionable information is a feature of:
SIEM dashboard
Which of the following answers refers to a protocol used for managing real-time sessions that include voice, video, application sharing, or instant messaging services?
** SIP **
Session Initiation Protocol (SIP) is used to signal and control interactive communication sessions. The uses for such sessions include voice, video, chat and instant messaging, as well as interactive games and virtual reality.
Which type of server is used for collecting diagnostic and monitoring data from networked devices?
Syslog server
Examples of utilities that enable logging of data from different types of systems in a central repository include: (Select all that apply)
- syslog
- rsyslog
- syslog-ng
- NXLog
Which of the following are log managing utilities for Unix and Unix-like systems that implement the basic syslog protocol and extend it with additional functionalities? (Select 2 answers)
- syslog-ng
- rsyslog
Which of the following is a cross-platform log-managing tool?
NGLog
Which of the following answers refers to a Linux utility for querying and displaying logs that are stored in binary form?
** journalctl **
Journalctl is a utility for querying and displaying logs from journald, systemd’s logging service. Since journald stores log data in a binary format instead of a plaintext format, journalctl is the standard way of reading log messages processed by journald
The term “Metadata” refers to a type of data that provides information about other data, but not the content of the data. This type of data can be viewed, but by default it is not visible to the user. The basic metadata related to email communication comes from email headers and includes detailed information about the sender and recipient of the message as well as the path that a message went through. Examples of mobile device metadata include device model, geolocation, information about the camera used to take a photo, Internet, phone, text messaging, and application usage statistics, as well as metadata from different types of files stored on the device. In web browsing, metadata comes from HTML meta tags placed in the head section of a web page. In case of files, the basic metadata examples include information about the author (e.g. the person who created the file), file type, size, creation date and time, last modification date and time.
True
Which of the following is a Cisco-designed IP traffic collection method that by default does not offer packet sampling?
Netflow
Which of the following answers refers to a cross-platform IP traffic collection method that takes advantage of packet sampling to optimize bandwidth and hardware resources usage?
sFlow
An IETF specification that defines how IP flow information is to be formatted and transferred from an exporter to a collector is called:
** IPFIX **
Internet Protocol Flow Information Export (IPFIX) is an accounting technology that monitors traffic flows through a switch or router
One of the best practices for malware removal involves the process of isolation of files and applications suspected of containing malware to prevent further execution and potential harm to the user’s system. This process is referred to as:
Quarantine
A SOAR playbook is a checklist of actions that can be performed in response to a security incident.
True
The term “SOAR runbook” refers to an exact sequence of actions that might be used to enable an automated response to a security incident.
True
In forensic procedures, a chronological record outlining persons in possession of an evidence is referred to as
Chain of custody
File timestamp is a metadata that contains information about a file and reflects when the file was created, last accessed, and last modified. In digital forensics, timestamps can be used for example to validate the integrity of an access log file (i.e. to check whether the file has been tampered with to mask unauthorized access attempt). Because different systems might be set to different time zones, in order to determine the chronological order of events during a security incident it is also important to take into account time offset which denotes the difference between the timestamp and a chosen reference time (a.k.a. time normalization).
True
In forensic procedures, a sequence of steps in which different types of evidence should be collected is known as
Order of volatility
The order of volatility from most volatile to least volatile is:
* Data in cache memory, including the processor cache and hard drive cache.
* Data in RAM, including system and network processes.
* A paging file (sometimes called a swap file) on the system disk drive
* Data stored on local disk drives
Which memory type provides a CPU with the fastest access to frequently used data?
Cache memory
A type of file that an OS uses to hold parts of programs and data files that cannot be stored in RAM due to insufficient memory space is called: (Select 2 answers)
- Swap File
- Pagefile
Which of the following can be used as an extension of RAM? (Select 2 answers)
- Pagefile
- Swap partition
Which of the following answers refers to an example order of volatility for a typical computer system?
- Cache memory
- RAM
- Swap/Pagefile
- Temporary files
- Disk files
- Archival media
