4. Communicating Cyber Security Findings Effectively

Question 1

Which of the following is the MOST important reason for including KPIs in an incident management dashboard?

A)Helps management understand the performance of the incident management program.

B)Helps reduce the impact to production after an incident occurs.

C)Provides an executive summary on the most recent incident that occurred.

D)Helps determine the root cause of detected incidents.

Answer 1

KPIs helps management understand how well the incident management program is performing to prevent, detect, and remediate vulnerabilities and respond to incidents. KPIs measure crucial performance factors, including the severity of an incident’s impact and the organization’s speed of recovery.

Question 2

Some common incident management KPIs are: MTTD

Answer 2

Mean time to detect (MTTD) – provides information on average time taken to discover the incident from the time it occurred.

Question 3

Some common incident management KPIs are: MTTR (Respond)

Answer 3

Mean time to respond (MTTR) – the average time it takes the system to recover after a system failure was first detected.

Question 4

Some common incident management KPIs are: MTTR (Remediate)

Answer 4

Mean time to remediate – the average time elapsed between the incident being detected and the incident being completely remediated.

Question 5

Alert volume – the number of alerts that were detected during the given period of time.

Answer 5

Alert volume – the number of alerts that were detected during the given period of time.

Question 6

Post-Incident report

Answer 6

Timelines: Describes the events as they occurred from first detection to final resolution.

Recommendations: Provides information on recommendations from the technical teams and subject matter experts on how to prevent similar incidents in the future.

Impact: Assesses the damage (both actual and reputational) caused by the incident and applies a cost figure if possible.

Scope: Describes the systems and networks affected by the incident.

Evidence: Lists any digital or physical evidence that may be used to identify and hold responsible those causing the incident.

Alert Volume: displays the number of alerts that were detected during the given period of time.

Question 7

You are a cybersecurity advisor for your organization. You have observed recurring security incidents over the month that have significantly impacted production.

Which of the following should you initiate to determine the factors that caused the security incidents?

A)A review the Business Continuity Plan (BCP)
B)A review of technical controls implemented in your environment.

C)Testing your incident management program.
D)Performing root cause analysis.

Answer 7

To determine the factors that caused the recurring security incidents, you should perform root cause analysis. Root cause analysis helps figure out factors that caused the incident. It also provides the opportunity for organizations to improve their existing incident response plan. It helps you identify corrective actions that should be taken to prevent similar incidents in future.

Question 8

Your organization has recovered from a major security incident. You have planned the lessons learned meeting with relevant stakeholders.

Which of the following is NOT a benefit of a lessons learned meeting?

A)Helps maintain regulatory reporting.

B)Helps create an escalation matrix.

C)Helps determine the root cause of the incident.

D)Helps update incident response policies and procedures.

Answer 8

Lessons learned meetings do not help in creating an escalation matrix. However, they can help improve the escalation matrix. An escalation matrix is part of an incident response plan. Contact information for relevant levels is included in the escalation procedures. Lessons learned meetings help identify strong and weak areas of the plan. For example, if an escalation matrix is identified as a weak area of the incident response plan, this would be the opportunity to make improvements to the process.

Question 9

Your organization has a critical e-commerce application that processes financial transactions. All the credit card transactions are processed and reconciled by a single individual. Your company cannot segregate the processing and reconciliation duties and assign them to different people due to budget constraints.

You are a cybersecurity analyst for the organization.

Which of the following compensatory controls could you suggest in order to reduce the risk of error and fraud?

A)Conduct an independent third-party audit at least annually to review the credit card transactions and relevant documentation.

B)Implement a password policy for the individual that forces a password reset once a month.

C)Rotate the job every month and assign it to a different individual.

D)Ask the individual to do a self-audit of all the transactions on monthly basis and share the results with supervisor.
E)Conduct security awareness training for the individual.

Answer 9

Since the organization cannot implement segregation of duties due to budget constraints, you should implement one or more compensatory controls. Compensatory controls are alternatives that can be used when other mandatory or primary controls cannot be implemented due to logistical issues.

In the given scenario, compensatory controls could include conducting an independent third-party audit at least annually to review the credit card transactions and relevant documentation. It could also include rotating the job every month and having it performed by a different individual. Conducting an independent audit at regular intervals will validate the credit card transactions and relevant documentation, which would ensure credit card transactions are valid and no error or fraud was detected. Rotating the job every month will ensure that no single person is solely responsible for financial reconciliation. Rotation increases the chances that fraudulent transactions will be detected by another person.

Asking the individual to do the self-audit of all the transactions on monthly basis and share the results with supervisor will not act as compensatory control in the given scenario. If the individual is self-auditing their work, there are chances they may hide fraudulent work and present a false report to his supervisor.

Conducting security awareness sessions may provide the individual with some knowledge regarding security issues, but it will not prevent an employee from conducting fraudulent transactions or increase the chance that these events are detected.

Forcing the individual to change their password does not prevent the user from conducting fraudulent transactions.

Question 10

SLA,SLO,SLI,KPI

Answer 10

An SLA is a legal agreement or contract between the customer and service provider. If the contract is breached, service provider has to pay penalties. Standard components of an SLA are:

Service-level title
Metric definition
Calculation to measure performance
Tools used to measure performance
Duration when performance will be measured
Metrics to achieve SLA
Penalties in case contract is breached
A service-level indicator (SLI) is a quantifiable measure of the reliability of the product, such as how often the product breaks and needs repair. The SLI is defined collaboratively among the security teams and product owners.

Service-level objectives (SLOs) are performance-based metrics, benchmarks, or goals directly associated with SLAs.

Key performance indicators (KPIs) are metrics that help you measure the success of the program and aid in decision making. Examples of KPIs are number of daily password changes, number of incidents a week, or average incident response time.

Question 11

After performing a vulnerability scan on your company’s SQL server, you identify several issues that need to be handled. All of the identified issues will require changes to the current configuration of the SQL server. Your company has an established change control process in place. What should you submit to start this process?

A)SLA
B)MOU
C)CCB
D)RFC

Answer 11

You should submit a request for change (RFC) to start the formal change control process for the issues identified by the SQL server vulnerability scan. The RFC is evaluated and submitted to the change control board (CCB) for approval. If the RFC is approved, then the appropriate steps will be taken to complete the change. If it is denied, then no actions are taken.

All changes should be logged in a change log to ensure that records are maintained for both approved and denied RFCs. During the change control process, communication is key because the change status needs to be conveyed to the appropriate individuals. In addition, communication must occur to ensure that the change is completed once it is approved.

Question 12

You are a cybersecurity consultant for your organization. You have recently implemented a vulnerability management program and are in the process of finalizing the table of contents in the vulnerability management report.

Which of the following is NOT an element of a successful and effective vulnerability management report?

A)Provide clear and concise information in the report.

B)Include detailed findings and metrics in the report.

C)Recommend plans of action to remediate the findings in the report.

D)Include the organization’s business goals and objectives in the report.

Answer 12

The organization’s business goals and objectives are not an element of the vulnerability management report and should not be included in the assessment report. The organization’s business goals and objectives should be included in organizational level security policies. To make security policies effective, they should be mapped appropriately with business goals and objectives.

Question 13

Key elements of successful and effective vulnerability management reports are:

Answer 13

The report begins with an executive summary.
The language is clear and concise.

The report is easy to understand by its intended audience.

It provides the actions / recommendations for the identified vulnerabilities.
It includes detailed vulnerabilities and metrics for technical personnel.

It provides dashboards and pie charts.

It includes graphic elements like a risk-based vulnerabilities matrix in the report.

Question 14

Your organization is signing a contract with a service provider, who will provide cloud services to your organization. You are finalizing the SLA, SLO, SLI, and KPIs to be included in the contract with service provider.

You have mentioned in the contract that if the performance of cloud services is impacted, it must be restored within one hour. Which of the following does this statement refers to?

A)SLA
B)SLO
C)SLI
D)KPI

Answer 14

Service-level objectives (SLOs) are performance-based metrics, benchmarks, or goals directly associated with SLAs.

Question 15

Your organization has recently performed a vulnerability assessment on the data center. The vulnerability assessment report was circulated to the relevant asset owners for discussion.

Which of the following sections of the vulnerability assessment report would identify whether mitigations applied after prior vulnerability assessments were effective?

A)Recurrence
B)Prioritization
C)Affected hosts
D)Risk score

Answer 15

The Recurrence section will identify any issues previously identified that are still present despite controls having been applied. Recurring issues should receive priority when designing solutions.

Question 16

You are a cybersecurity analyst for your organization. Your organization have a mature patch and vulnerability management process. All systems and devices are appropriately patched as per the planned patch management process, automatically through the use of System Center Configuration Manager (SCCM).

A recent vulnerability assessment reveals that critical systems have vulnerabilities. Which of the following is the MOST LIKELY scenario?

A)The vulnerability assessment tools do not have an up-to-date vulnerabilities engine.

B)Zero-day vulnerabilities were discovered.

C)The prior vulnerability assessment results were showing false positives.

D)Your critical systems are not patched.

Answer 16

The MOST likely scenario is that zero-day vulnerabilities were discovered that affect your critical systems. Zero-day vulnerabilities are security flaws in the application, operating system, or device that are unknown to the parties responsible for patching or fixing the issue, and for which there is yet no patch to install. Zero-day vulnerabilities can only be addressed with compensating controls, up to and including taking a system offline to avoid an exploit.

Question 17

Which of the following is NOT a role of the legal department in the creation of an incident response plan?

A)Develop wording of documents used to contact possibly affected sites and organizations.

B)Review non-disclosure agreement to ensure their support for incident response efforts.

C)Assess site liability for illegal computer activity.

D)Create policies and procedures that support the removal of employees found to be engaging in improper or illegal activity.

Answer 17

It is not a role of the legal department to create policies and procedures that support the removal of employees found to be engaging in improper or illegal activity. That is a role of the HR department. The HR department has two roles in incident response:

Develop job descriptions for those persons who will be hired for positions involved in incident response.

Create policies and procedures that support the removal of employees found to be engaging in improper or illegal activity.

The legal department has three roles in incident response:

Review the non-disclosure agreement (NDA) to ensure legal support for incident response efforts.

Develop wording of documents used to contact sites and organizations possibly affected by an incident that originated with your company’s software, hardware, or services.

Assess site liability for illegal computer activity.

It is also important to consider public relations in an incident response plan. It is vitally important that the PR department work with the crisis management team to develop the proper messaging for the organization’s customers and the general public.

Question 18

You are a cybersecurity analyst for your organization. Your organization has observed a high number of vulnerabilities that were not remediated after discovery. Instead, the same vulnerabilities are being detected on multiple vulnerability assessment reports.

You have been asked to identify the barriers to remediation that are presenting these vulnerabilities from being addressed, and to present an action plan for overcoming them. Which of the following is NOT typically a factor that would inhibit the remediation process in an organization?

A)System degradation
B)Contractual obligations
C)Organizational governance policies
D)The use of compensatory controls
E)Business-critical processes
F)The use of proprietary systems

Answer 18

Compensatory controls are not typically an inhibitor to the remediation process. Compensatory controls are alternative solutions that can be used when mandatory or primary controls cannot be implemented. Compensating controls substitute for a primary access control. They mainly act as mitigations to risk and help bring it down to an acceptable level.

All of the other factors may inhibit remediation.

Organizations can be reluctant to stop business-critical processes, especially those that directly generate revenue, in order to patch or remediate a vulnerability. This reluctance may result in repeated delays, raising the organization’s exposure to a critical vulnerability.

System degradation is a concern, especially when patching an older or proprietary system. Implementing a fix or patch may negatively affect other systems or applications in unexpected ways, or even break a key functionality. Patches should always be tested (when feasible) in a sandbox environment and rolled out in stages to assess their impact.

Proprietary systems are those systems developed in-house. Since there is no vendor to issue updates, patches must be created and implemented by local teams. This can be an issue that requires more scheduling than simply searching for and installing patches.

Organizational governance includes any organizational policy or standard that can affect remediation, such as time-consuming change control procedures. Some systems, such as accounting and financial systems, must remain in compliance with industry standards or federal laws; in these situations, vulnerability remediation must be validated after it is implemented to ensure the system did not fall out of compliance.

Contractual obligations like SLAs and MOUs can be an inhibitor to remediation process. A service-level agreement is a contract between two parties to provide services, and includes performance metrics that must be met and can interfere with remediation processes. A memorandum of understanding (MOU) is another kind of agreement between two parties that limits how some services can be interrupted or rendered. For example, your organization may use a specialized embedded component in your network that can only be serviced by a specific vendor with the appropriate training and certification, rather than being patched by your in-house team.

Question 19

Your organization has outsourced the vulnerability management function to a third-party service provider. You are finalizing the contract with the provider, specifically the manner in which trends will be tracked and reported to your senior management.

Which of the following is an example of a KPI?

A)Overall number of vulnerabilities successfully remediated.

B)50% waiver on the one-month invoice in case critical vulnerabilities are not remediated within 15 days.

C)Number of vulnerabilities for a new application release should be less than 10.

D)Critical vulnerabilities should be resolved within 15 days and 98% of the time.

Answer 19

The number of vulnerabilities remediated is an example of a key performance indicator (KPI). KPIs are the metrics that help you measure the success of your security program and aid in decision-making. They provide the quantifiable metrics that prove whether a program is effective. Some of the important KPIs for vulnerability management program are:

Average time to action
Mean time to respond (MTTR)
Mean time to contain (MTTC)
Compliance with standards
Accepted risk score
Average vulnerability age
Rate of reoccurrence
Number of risks remediated

Question 20

You have identified several inhibitors to your company’s vulnerability management process. Which of the following is an organizational governance inhibitor?

A)Removing a device that is critical to accounts receivable

B)Violating the SLA with a third party

C)Patching a system that is needed 24/7

D)Following formal change control procedures

Answer 20

Of the options provided, following formal change control procedures is an example of an organizational governance inhibitor.

Removing a device that is critical to accounts receivable is a business process interruption inhibitor.

Patching a system that is needed 24/7 is an inhibitor that will degrade functionality.

Violating the SLA with a third party is an inhibitor based on service agreements.

Question 21

You have a business-critical legacy application that was developed in-house and is installed on a Windows Server 2016 operating system. The application is used to provide services to customers and has a no tolerance for downtime.

Microsoft has released critical patches for the server that will take the system offline for four to eight consecutive hours when installed. You cannot install the patches due to contractual obligations with customers that require 99.999999% uptime for the legacy application.

Which of the following BEST describes the inhibitor to remediation?

A)Business process interruption
B)Changing business requirements
C)SLA
D)Legacy system
E)Proprietary system

Answer 21

Of the given options, the MOST inhibiting factor is the service-level agreement (SLA) that states the legacy application must provide 99.99999% uptime to business customers. In the given scenario, your organization have contractual obligations with the customer outlined in the SLA. An SLA is a contract between two parties to provide services, and includes performance metrics that must be met by the provider. Installing patches may also break the application, which may impact the business.

Question 22

Which of the following is used to drive improvement in the security posture of the organization?

A)change control process
B)incident response plan
C)lessons learned document
D)incident summary report

Answer 22

The lessons learned documents will briefly list and discuss what we now know either about the attack or about our environment of which we were formerly unaware.

Question 23

The incident summary report covers the major points of the incident. Some of the highlights that should be included are:

Answer 23

When was the problem first detected and by whom?
What was the scope of the incident?
How was it contained and eradicated?
What work was performed during recovery?
In which areas were the CIRT teams effective?
In which areas did the CIRT teams need improvement?

Question 24

You are a cybersecurity advisor for your organization. You are preparing a dashboard for leadership which will include KPIs and other metrics for the organization’s incident management program.

After an incident is detected, which of the following metrics will provide information on the average time it takes to temporarily resolve the incident?

A)Mean-Time-To-Resolve
B)Mean-Time-To-Recover
C)Mean-Time-To-Acknowledge
D)Mean-Time-To-Detect

Answer 24

Mean-Time-To-Recover will provide information on the average time it takes to temporarily resolve the incident after the incident is detected. The longer this time period, the more the organization may be negatively affected. For example, the impacts of a security incident shutting down a business web site become greater the longer it takes to make a temporary fix.

Mean-Time-To-Resolve will not provide information on the average time it takes to temporarily resolve the incident after the incident was detected. Mean-Time-To-Resolve is also called Mean-Time-To-Mitigate, which means an average time between when the incident was detected until the incident was completely remediated.

Mean-Time-To-Detect will not provide information on the average time it takes to temporarily resolve the incident after incident was detected. Mean-Time-To-Detect provides information on the average time it takes to discover each incident.

Mean-Time-To-Acknowledge will not provide information on average time taken to temporarily resolve the incident after the incident was detected. Mean-Time-To-Acknowledge provides the measurement of the time it takes for a person to recognize the incident and activate the incident response plan.

Question 25

As a security analyst, you assess your company’s current enterprise against several NIST standards for IT security. As a result of the assessment, you determine that several security controls need to be implemented. After providing your recommendations to management, you discover that three non-compliant systems must remain in their current configuration for business reasons. However, these three systems will be completely removed from the enterprise in six months. You need to ensure that these cases are documented appropriately. What should you do?

A)Implement an exception management process whereby these systems are documented and tracked.

B)Implement a configuration management process whereby these configurations are documented and tracked.

C)Prepare a remediation plan whereby these systems are remediated within the next six months.

D)Implement a change management process whereby these changes are documented and tracked.

Answer 25

You should implement an exception management process whereby these systems are documented and tracked. This will ensure that any reports you must provide will include the documentation of these exceptions. It will also serve as a reminder to ensure that these systems are to be removed within six months.

Question 26

You are a cybersecurity consultant for your organization. Your organization has well documented security policies and standards. You run a phishing test and observe that 40% of the users clicked the links in the phishing emails and provided confidential information.

Which of the following is MOST LIKELY the reason your users are failing at these phishing campaigns?

A)Lack of effective spam filters.

B)Lack of awareness and training sessions.

C)Lack of punitive measures.

D)Lack of security incident reporting at the organizational level.

Answer 26

Lack of awareness and training sessions is the reason of failing phishing campaigns in the given scenario. Conducting regular employee security awareness training sessions will help employees recognize phishing attacks and to avoid clicking on malicious links.

Question 27

You are a cybersecurity analyst in your organization. Your organization has an application hosted on a Windows server which is nearing EOL (End of Life). The appropriate solution is to sunset the server and move he application to a supported version of Windows Server. However, due to business requirements, the server cannot be updated at this time and must remain online after EOL to continue running the application.

As a proposed solution, you suggest creating a virtual server with the same specifications and running the application in a container not exposed to the public network.

What type of controls does this suggestion represent?

A)Compensatory controls
B)Corrective controls
C)Deterrent controls
D)Preventative controls

Answer 27

This represents compensatory (or compensating) controls to bring down the risk level of the server while meeting the business requirement for it to remain in service. Compensatory controls are alternatives that can be used when other mandatory or primary controls cannot be implemented. Other examples of compensating controls could be to implement multi-factor authentication for the server, and not storing confidential information on the server, reducing the risk of data exposure. Compensating controls should be reviewed regularly until they are replaced with a primary control.

Question 28

You have implemented a vulnerability management program in your organization. You are currently identifying how vulnerability assessment reports should be prepared and communicated to relevant stakeholders.

Which of the following is NOT a benefit of vulnerability management reporting?

A)Provides control owners and technical teams with visibility and clarity on their remediation plans.

B)Helps IT leaders evaluate the overall effectiveness of the vulnerability management program.

C)Helps relevant stakeholders prioritize vulnerability remediation efforts.

D)Ensures that affected systems will be patched in a timely manner.

Answer 28

Vulnerability management reporting will not ensure that affected systems are patched in a timely manner. The results of vulnerability scans and assessments, whether generated automatically by security tools or produced by human testing, should be followed with action plans to document that recommended fixes were implemented and the success of those efforts.

To make the vulnerability management program successful, vulnerability management reporting plays an important role. Reporting helps IT leaders evaluate effectiveness of a vulnerability management program.

Vulnerability management reports present data which is easily understood by management and relevant teams, helping stakeholders prioritize the vulnerability remediation efforts. It also provides control owners and technical teams visibility and clarity on their remediation plans.

You can tailor vulnerability management reports to be shared with different audiences. For example, senior management should be directed to dashboards and high-level summaries that include metrics and KPIs.

Technical teams should receive more detailed reports that explain the severity, impact, risk score, affected hosts, and suggested remediation.

Question 29

You are a cybersecurity advisor for your organization. You are developing the incident reporting procedures.

Which of the following is the weakest reason to report security incidents?

A)Protect business relationships

B)Build trust with customers and stakeholders

C)Ensure vulnerabilities are communicated to stakeholders

D)Maintain regulatory compliance
E)Ensure prompt remediation

Answer 29

While communicating vulnerabilities to stakeholders is important, as compared to the other reasons given for reporting incidents it is the weakest.

Question 30

Organizations must report security incidents for the following reasons:

Answer 30

Maintain regulatory compliance – Regulatory requirements, such as the EU General Data Protection Regulation (GDPR), require organizations to report security incidents within 72 hours after the incident is detected. Where federal laws or regulatory requirements apply, organizations must comply with these requirements and report security incidents within defined timeframes.

Build trust with customers and stakeholders – Your organization may have access to confidential customer information and be obligated to protect that information. Organizations should report security incidents to customers and stakeholders, whenever there is major security breach and/or business impact. Reporting the security incident to customers and external parties creates a sense of trust, indicating a high level of responsibility for their confidential information.

Protecting business relationships – Organizations often outsource technology-related work to third parties. Organizations should report security incidents to these business partners. This ensures third parties can take proactive measures and have controls in place to protect against the security threats.

Ensure a prompt remediation plan – Promptly reporting security incidents plays an important role in remediating the incident. As soon the incidents are detected, this should be reported to the appropriate stakeholders and the incident response plan should be activated to provide timely containment and mitigation.

Question 31

You need to deploy a security patch on several servers. Currently, you have a contract in place with a third party that states that these servers can only be updated during a regularly scheduled maintenance period. Unfortunately, the third party will not allow unscheduled maintenance because of availability needs. Which of the following is the inhibitor to this remediation?

A)SLA
B)Functionality degradation
C)Business process interruption
D)Organizational governance

Answer 31

A service level agreement (SLA) is the inhibitor to this remediation. The scenario specifically stated that a contract is in place with a third party that states that these servers can only be updated during a regularly scheduled maintenance period. An SLA is a contract between two parties to provide servers and includes performance metrics that must be met.

Organizational governance includes any organizational policy or standard that can affect remediation, such as formal change control procedures.

Business process interruption includes any remediation that may result in the interruption of a business process, such as ecommerce transactions.

Functionality degradation includes any remediation that may negatively affect the performance or functionality of a device, such as a web server.

Question 32

Your company recently conducted a penetration test for Verigon to determine compliance with several federal regulations. Six months after the test was conducted, Verigon management must provide compliance documentation of the penetration test. Which type of report is needed?

A)Rules of engagement
B)Executive summary
C)Lessons learned
D)Attestation of findings

Answer 32

An attestation of findings is needed because this is considered proof that the appropriate penetration test was completed.

An executive summary is part of the written report that was provided to Verigon for internal distribution only. A formal written penetration testing report is not generally distributed outside the organization and as such, should not be used as compliance documentation.

The rules of engagement define the actions that a penetration tester is allowed to take and which actions the tester is prohibited from taking.

The lessons learned documents provide information about what is learned from the penetration test. This documentation would be generated by Verigon personnel without the contractor being present. Lessons learned will help improve future penetration tests.

Question 33

Your organization has detected a major security breach which has impacted users’ Personally Identifiable Information (PII).

During which phase of the incident response life-cycle should you notify the legal and public affairs departments about the security breach?

A)Post-Incident Activity
B)Containment, Eradication, & Recovery
C)Detection & Analysis
D)Preparation

Answer 33

You should notify your legal and public affairs department about the security breach during the Detection & Analysis phase of the incident response lifecycle. When the incident response team is analyzing and prioritizing the incidents, they should also determine the individuals and departments to be notified regarding the incident. Reporting requirements may be different from organization to organization; however, you should typically include the following roles and individuals:

Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
System and asset owners and custodians
Other incident response teams in the organization
External stakeholders (as appropriate)
Legal and public affairs departments
Law enforcement (if applicable)

Question 34

According to NIST, the incident response life-cycle has four phases.

Answer 34

Preparation – During this phase, you should learn your organization’s IT infrastructure and what kind of sensitive information is captured and stored. You should develop or identify all the required resources, such as a communication plan, contact information, on-call information, devices, required software, and an internal command centre. You should also ensure your organization has reasonable controls implemented to reduce the number of incidents. If your organization does not develop and implement reasonable controls, you are at risk of a higher number of incidents.

Detection & Analysis – During this phase, ensure that you have appropriate resources in place to detect the incident. Analysis focuses on determining the impact and severity of incidents.

Containment, Eradication, & Recovery – Containment targets containing the attack or asset that has been affected by the incident. Eradication focuses on removing or remediating the affected systems or resources. Recovery describes how to recover systems and restore systems to normal operations.

Post-Incident Activity – This phase addresses root cause analysis, lessons learned meetings, and gathering information to enhance existing incident response processes and help prevent similar incidents in future.

Question 35

As the cybersecurity advisor for your organization, you are tasked with developing and implementing an incident response plan. You are in the process of creating the communication escalation path.

Which of the following is NOT an important factor in creating the communication escalation path?

A)Secure communication protocols
B)Contact information for all stakeholders
C)Internal team structure for stakeholders
D)Communication schedules

Answer 35

The internal team structure for stakeholders is not typically relevant when creating a communication escalation path. The path should be based on skill level in addressing incidents not team position.

An effective communication escalation path identifies who the tester should contact, how often contacts should be notified, and under which conditions the stakeholders should be contacted. It also includes their contact information. Specifically, it should include:

Contact information for all relevant stakeholders

How often stakeholders should be notified

Method of communication with the stakeholders

Individuals to contact in case of emergency

Question 36

Your organization has experienced a major security breach which impacted production. As a result, your organization suffered financial losses.

You have scheduled a lessons learned meeting with the appropriate stakeholders. Which phase of the incident response life cycle includes lessons learned?

A)Eradication
B)Containment
C)Recovery
D)Post-incident activity

Answer 36

A lessons learned meeting is planned for the Post-Incident Activity phase of the incident response lifecycle.:

A lessons learned meeting is part of post-incident activities and provides these benefits, helping to:

Identify how and why the incident occurred.
Determine the root cause of the incident.

Update incident response policies and procedures.
Create a follow-up report of action items.

Identify the events that triggered the incident and must be monitored in the future.

Identify people, processes, and technologies required to detect, analyze, and remediate future incidents.

Question 37

You are a cybersecurity consultant for your organization. Your organization has conducted periodic vulnerability assessments on the IT infrastructure. You found that there are few servers which are out of support from Microsoft and have not received patches for the past six months. During analysis, you learned that these legacy servers are providing services to the customer and will be decommissioned in the next 12 months.

What should you do?

A)Upgrade the servers to latest version of the operating system supported by Microsoft.

B)Update the compliance report to note the servers are out of compliance.

C)Conduct awareness sessions for business owners on patching the servers.

D)Log a case with Microsoft to receive extended support for these legacy servers.

E)Document and approve a policy exception for 12 months.

Answer 37

You should document and approve the exception for 12 months. Exceptions are required to deviate from policy and a strong business requirement must exist to accept the deviation. Exceptions should document risks and have an acceptance from business owner. Exceptions are not permanent and should be granted for short duration till the vulnerability is either mitigated or removed.

Question 38

You are a cybersecurity advisor for Nutex Inc. You are designing the incident response reporting and escalation policies and procedures. Specifically, you are outlining how best to share the organization’s sensitive information with external parties in case of a security incident. Which party or parties should you consult FIRST?

A)Legal department
B)CEO
C)Board of directors
D)Public relations department

Answer 38

You should first consult with the legal department for guidance on sharing your organization’s sensitive information with external parties in the case of a security incident. You may also need to share information regarding an incident with external or public stakeholders, such as the media, law enforcement, or customers. While designing the incident response reporting and escalation policies and procedures, it is important to have discussion with legal department, public affairs, and management. You should document all contacts and communications with external parties for liability and evidentiary purposes.

Question 38

You are a cybersecurity advisor for your organization. In a recent audit conducted by an external party, it was found that your organization lacks a process to track and manage assets and their relation to one another.

To remediate the finding, you have been asked to suggest the solution. What should you suggest?

A)Implement a change management process

B)Implement a release management process.

C)Maintain an Excel file for all the IT assets and resources.

D)Implement a configuration management process.

Answer 38

You should implement a configuration management process to remediate the finding. Configuration management is an IT Service Management (ITSM) process used to track and manage assets and to maintain the relationship between the IT assets and resources. Configuration management identifies and tracks configuration items (CIs) and document their capabilities and dependencies on other assets. There are many commercial software tools available in market to implement configuration management. These tools are based on the Information Technology Infrastructure Library (ITIL) framework, which is considered industry standard for ITSM processes.

Question 39

A report containing KPIs from a vulnerability management report was recently circulated to stakeholders. You are interested in identifying the security issues that are occurring most often in the enterprise. What section would be the BEST place to start looking for that information?

A)Trends
B)SLOs
C)Critical vulnerabilities and zero days
D)Top 10

Answer 39

The Top 10 key performance indicator (KPI) comprises a real-time list of issues detected in the organization, organized by the number of instances. This would give you immediate insight into the ten most frequent security issues.

The Trends KPI is one that attempts to take vulnerability information and identify patterns that might be useful in focusing efforts in the proper areas.

Service-level objectives (SLOs) are performance-based metrics, benchmarks, or goals directly associated with SLAs.

Critical vulnerabilities and zero days is a KPI that identifies the number of issues that remain unsolved or for which there is as yet no solution (a zero day).

Question 40

You are a cybersecurity advisor and have been tasked to review your organization’s existing incident response plan and incident handling procedures. The organization bases their plan on the four phases of the NIST incident response lifecycle.

During a brainstorming exercise with the incident response team, you documented several questions to better understand how they handle incidents.

Which of the following questions relate to the Detection & Escalation phase?

A)What would be the action plan to prevent similar incidents from occurring in the future?

B)To which stakeholders should the incident be reported

C)How should incidents be contained?

D)Which controls are in place to prevent incidents from occurring?

E)Which events should be considered incidents?

Answer 40

Incident communication to internal and external stakeholders is part of the Detection & Escalation phase of the incident response plan.

Question 41

What are the preparation phase involved in the IRP?

Answer 41

Preparation phase:

What are the criteria for declaring an incident?

What controls are in place to prevent the incident?

Question 42

What are the Detection & Analysis phase involved in the IRP?

Answer 42

What are the indicators for detecting an incident?

What technology is required to detect an incident?

When should an incident be escalated ?

How incident response team should verify that it is an incident?

To whom (internal or external stakeholder) team should report an incident?

How the incident should be prioritized?

Question 43

What are the Containment, Eradication, & Recovery phase involved in the IRP?

Answer 43

How should the incident be contained?

What are the predicted impacts if an incident is not contained?

Who should be involved in the containment, eradication, and recovery processes?

What evidence should be captured?

Where should it be stored and retained?

Question 44

What are the Post-Incident Activity phase involved in the IRP?

Answer 44

Who should be involved in the lessons learned meeting?

What should be done to prevent similar incidents in the future?

How can the existing processes be improved?

Question 45

You are a cybersecurity consultant. In a recent incident management meeting, leadership decided to improve Mean Time to Detect (MTTD) to increase the effectiveness of the incident management program.

Which of the following would MOST improve MTTD metrics?

A)Storing confidential information in the cloud rather than on-premises.

B)Conducting awareness and training sessions for the incident response team.

C)Installing a Security Information and Event Management (SIEM) tool.

D)Conducting awareness and training sessions for the employees.

Answer 45

People are considered the weakest link in cybersecurity. Many employees do not realize that they can detect, report, and prevent security incidents. For example, employees may click links provided in suspicious emails that could lead to a major incident. Awareness and training sessions for the employees help improve MTTD metrics.

Awareness and training sessions for the incident response team will not help improve MTTD metrics because that team is responsible for responding to incidents, limiting the impact, and resolving the incident. Awareness and training sessions for the incident response team will help improve the mean time to resolve (MTTR) and mean time to contain (MTTC) metrics, which measure how fast a threat is prevented from spreading and eliminated.

Question 46

Your organization recently experienced a security breach. You are preparing the incident report.

Which section of the incident report identifies the systems involved?

A)Timeline
B)Impact
C)Evidence
D)Scope

Answer 46

The scope section describes the systems and networks affected by the incident.

The timeline section describes the events as they occurred from first detection to final resolution.

The impact section assesses the damage (both actual and reputational) caused by the incident and applies a cost figure if possible.

The evidence section lists any digital or physical evidence that may be used to identify and hold responsible those causing the incident.

Question 47

As an IT security consultant, you recently performed a vulnerability assessment for your organization and identified IT assets in need of patching and other fixes. This week you received a report from the technical teams and the asset owners stating that all of the vulnerabilities identified in the last assessment results were remediated as per your recommendations.

What should you do FIRST?

Answer 47

You should first perform the remediation verification vulnerabilities. As a cybersecurity consultant you should verify the confirmation made by the respective asset owners. This will help you understand whether vulnerabilities were successfully remediated and whether the fixes caused any new issues. Remediation can be verified either by performing a new independent vulnerability assessment or by having independent internal teams conduct vulnerability tests.

Question 48

Your organization’s help desk received a call regarding a security incident. The Level 1 on-call help desk engineer was unable to resolve the incident.

Which of the following incident response components would assist the help desk engineer in determining the appropriate contact to resolve the incident?

A)Detection plan
B)BCP
C)Communications plan
D)Escalation procedures

Answer 48

Escalation procedures will help the help desk engineer to determine the appropriate staff to resolve the incident. The escalation procedures include the information on how the help desk engineer can determine the appropriate contact to take over the issue for resolution. Contact information for relevant levels is included in the escalation procedures.

Question 49

You are a cybersecurity analyst for your organization. Your organization has well defined and implemented patch management processes. All devices receive patches through Windows System Center Configuration Manager (SCCM).

Due to the pandemic, all employees started working from home. In the recent patching report, it was found that 70% of employee devices had not been patched because employees either did not connect regularly to the corporate network or did not have VPN access to the corporate network.

What should you do to overcome this situation and ensure all devices are patched? (Choose all that apply.)

A)Train all employees in how to patch their systems from their home networks in regular awareness and training sessions.

B)Implement standalone patch management instead of rather than relying on SCCM to push the patches.

C)Grant VPN access to all employees.

D)Implement multi-factor authentication for all devices used outside the corporate network.

E)Ask all the employees to visit office at least once a month and update their devices.

Answer 49

In the given scenario, you should do the following to overcome the situation and ensure all devices are patched:

Implement standalone patch management as well as relying on SCCM to push the patches. This will ensure employees are not dependent on the SCCM patching, which can only be done when their devices are connected to the corporate network.

Train all employees in how to patch their systems from their home networks in regular awareness and training session. This will ensure all employees are aware of the importance of patching and know how to do so from their remote workstations.

Grant VPN access to all the employees. Doing so will enable them to log in to the corporate network using a VPN and download and install the available updates pushed via SCCM.

Question 50

You are a cybersecurity analyst for your organization and have recently published the vulnerability scan report.

In which of the following sections of the reports would you place an index of all vulnerabilities identified, along with their categories (such as critical, high, medium, or low severity)?

A)Findings
B)Scan results
C)Executive summary
D)Risk assessment

Answer 50

The Risk Assessment section typically contains the following information:

Vulnerabilities categorized as critical, high, medium, or low severity

Explanation of risk categories
Vulnerability details (plugin name, description, solution)
The Findings section typically contains:

Systems scanned and systems not scanned

Reasons for unscanned systems

The Executive summary typically contains:

Date range of the assessment
Purpose and scope of the assessment

Non-technical overview of the findings ranked by severity level

The scan results section typically contains:

Explanation of vulnerability categorization

Overview of the types of reports provided

Question 51

You are a cybersecurity advisor for your organization and working on creating an incident response plan. Specifically, you must ensure the incident communication portion of the plan is effective. Which of the following actions will help ensure clear and consistent communication with customers, regulators, and the press?

A)Develop a team to monitor the organization’s social media channels.

B)Create criteria for involving law enforcement.

C)Designate an internal point of contact for external communication.

D)Develop communication templates for customer outreach.

E)Formalize the process for initiating incident response.

Answer 51

Designating an internal point of contact for external communication will ensure clear and consistent communication with customers, regulators, and the press. The point of contact can be a member of your public relations team, your legal department, upper management, or any other logical designee. Everyone in the incident response team should understand which person or people are authorized to discuss the incident with external parties.

Question 52

Following the completion of a vulnerability assessment, the team is inserting the collected data into the proper documentation. In which of the following reports would the team place the risk score(s) of any vulnerabilities found and a list of the affected hosts?

A)Vulnerability score report
B)Rules of engagement
C)Executive summary
D)Vulnerability scan report

Answer 52

A typical vulnerability scan report contains the following information:

Executive summary

Scan results

Methodology

Findings, including CVE numbers

Risk assessment, including risk scores

Recurrence information

Recommendations for remediation and prioritization of results

The prioritization of the results would be based on:

Internally calculated risk scores

Externally calculated CVSS scores

Compliance factors

Organizational policies for
prioritizing remediation

Question 53

Your organization has recently detected a major security incident. It is evident that customers’ Personally Identifiable Information (PII) has been compromised.

Which of the following is responsible for communicating with customers and has a the best understanding of how to manage customers’ expectations and deal the media? (Choose all that apply.)

A)Public affairs department
B)Legal department
C)Board of Directors
D)HR department
E)Incident response team lead
F)Marketing department

Answer 53

Public affairs and the marketing department are responsible for communicating with customers. They have a better idea of customers’ expectations and how to deal the media. Public affairs and marketing departments can establish communications with the media, the general public, and affected customers. However, the internal point of contact for external communication regarding an incident should be established as part of the incident response plan.

Question 54

You are your company’s security analyst. In the past year, your organization has endured more frequent phishing attacks. Management decided to deploy the following controls to help prevent these attacks:

Spam filters that detect viruses, blank senders, and other malicious emails
Antivirus applications on all computers with automatic updates
Web filters that block malicious websites
After performing vulnerability scan and penetration testing, you discover that employees are still falling victim to phishing attacks. Which of the following should you deploy as compensating controls for this problem? (Choose all that apply.)

A)Deploy an IPS between the internal network and the Internet.

B)Deploy security awareness training for all users.

C)Implement a new account lockout policy that will lockout accounts after three invalid attempts.

D)Deploy an IDS between the internal network and the Internet.
E)Implement a new security policy regarding clicking links in email messages.

F)Implement a new password policy forcing users to change their passwords every 60 days.

Answer 54

You should deploy the following as compensating controls to protect against phishing attacks:

Implement a new security policy regarding clicking links in email messages.

Deploy security awareness training for all users.

Both of these measures should help compensate for phishing attacks by providing users with guidance on when they receive links in email messages.