B.3.4 Security+ SY0-601 Domain 4: Operations and Incident Response Flashcards

78 questions (plus some of my own)

1
Q

Which of the following tools can be used to view and modify DNS server information in Linux?

A

dig

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which command should you use to scan for open TCP ports on your Linux system?

A

nmap -sT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram.
Which tool should you use?

A

Network mapper

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You need to enumerate the devices on your network and display the network’s configuration details.

Which of the following utilities should you use?

A

nmap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You need to check network connectivity from your computer to a remote computer.

Which of the following tools would be the BEST option to use?

A

ping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which command should you use to display both listening and non-listening sockets on your Linux system?

A

netstat -a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tool should you use?

A

Nessus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following tools can be used to see if a target has any online IoT devices without proper security?

A

Shodan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You need to find the text string New Haven in 100 documents in a folder structure on a Linux server. Which command would you use?

A

grep

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following BEST describes PuTTy?

A

Open-source software that is developed and supported by a group of volunteers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

!= refers to Not Equal in which scripting language?

A

Python

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following BEST describes a constant?

A

Data or a value that does not change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A conditional statement that selects the statements to run depending on whether an expression is true or false is known as which of the following?

A

If else statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You would like to simulate an attack on your network so you can test defense equipment and discover vulnerabilities in order to mitigate risk. Which tool would you use to simulate all the packets of an attack?

A

TCPReplay

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following are network-sniffing tools?

A

Cain and Abel, Ettercap, and TCPDump

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You want to use a tool to see packets on a network, including the source and destination of each packet. Which tool should you use?

A

Wireshark

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You are using a protocol analyzer to capture network traffic. You want to only capture the frames coming from a specific IP address.

Which of the following can you use to simplify this process?

A

Capture filters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You want to check a server for user accounts that have weak passwords. Which tool should you use?

A

John the Ripper

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An attacker has gained access to the administrator’s login credentials. Which type of attack has most likely occurred?

A

Password cracking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?

A

Document what is on the screen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?

A

Disconnect the access point from the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

After a security event that involves a breach of physical security, what is the term used for the new measures, incident review, and repairs meant to stop a future incident from occurring?

A

Recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the best definition of a security incident?

A

Violation of a security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the purpose of audit trails?

A

To detect security-violating events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it?

A

Mitre Att@ck

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is a Mitre Att@k?

A

A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

As a security analyst, you have discovered the victims of a malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims? (Select two.)

A

Diamond Model of Intrusion Analysis
Mitre Att@cks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the primary goal of business continuity planning?

A

Maintain business operations with reduced or restricted infrastructure capabilities or resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

When is a BCP or DRP design and development actually completed?

A

Never

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management.
Which of the following documents should you create for this purpose?

A

Business continuity plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following components are the SIEM’s way of letting the IT team know that a pre-established parameter is not within the acceptable range?

A

Alerts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Over the past few days, a server has gone offline and rebooted automatically several times. You would like to see a record of when each of these restarts has occurred.

Which log type should you check?

A

System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

You would like to see only the last 15 lines of /home/user/logfile on your Linux machine. Which command line interface (CLI) command would you use?

A

tail -n 15 /home/user/logfile

34
Q

You would like to add some entries into the system log file. Which command would you use?

A

logger

35
Q

Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated.
Where would you go to conduct a root cause analysis?

A

Application log

36
Q

Which log file type is one of the most tedious to parse but can tell you exactly when users log onto your site and what their location is?

A

Web server logs

37
Q

You suspect cache poisoning or spoofing has occurred on your network. Users are complaining of strange web results and being redirected to undesirable sites. Which log would help you determine what is going on?

A

DNS logs

38
Q

You suspect a bad video driver is causing a user’s system to randomly crash and reboot. Where would you go to identify and confirm your suspicions?

A

Dump files

39
Q

After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next?

A

Back up all logs and audits regarding the incident

40
Q

Which of the following is an important aspect of evidence-gathering?

A

Back up all log files and audit trails

41
Q

Which of the following is a standard for sending log messages to a central logging server?

A

Syslog

42
Q

You are worried about email spoofing. What can be put throughout an email’s header that provides the originating email account or IP address and not a spoofed one?

A

X-headers

43
Q

You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation.

Which of the following must you configure in order to see all of the network traffic?

A

Configure the network interface to use promiscuous mode

44
Q

Which of the following accurately describes what a protocol analyzer is used for? (Select two.)

A

A passive device that is used to copy frames and allow you to view frame contents

A device that does NOT allow you to capture, modify, and retransmit frames (to perform an attack)

45
Q

You want to identify traffic that is generated and sent through a network by a specific application running on a device.

Which tool should you use?

A

Protocol analyzer

46
Q

You want to know which protocols are being used on your network. You’d like to monitor network traffic and sort traffic by protocol.

Which tool should you use?

A

Packet sniffer

47
Q

You are concerned about attacks directed against the firewall on your network. You would like to examine the content of individual frames sent to the firewall.

Which tool should you use?

A

Packet sniffer

48
Q

Your organization recently purchased 20 Android tablets for use by the organization’s management team.

To increase the security of these devices, you want to ensure that only specific apps can be installed. Which of the following would you implement?

A

App whitelisting

49
Q

Which of the following items would you secure in the Perimeter layer of the security model?

A

Firewalls

50
Q

You are configuring web threat protection on the network and want to prevent users from visiting www.videosite.org.
Which of the following needs to be configured?

A

Website filtering

51
Q

You want to allow RDP 3389 traffic into your network for a group of users to access a particular workstation that has a special application in your office. Which endpoint security tool would you use to make this happen?

A

Firewall rules

52
Q

You need to remotely wipe an android phone for one of your rogue users. Which endpoint tool would you use?

A

Mobile device management (MDM)

53
Q

You are implementing security at a local high school that is concerned with students accessing inappropriate material on the internet from the library’s computers. The students use the computers to search the internet for research paper content. The school budget is limited.

Which content filtering option would you choose?

A

Restrict content based on content categories

54
Q

You are investigating the use of website and URL content filtering to prevent users from visiting certain websites.

Which benefits are the result of implementing this technology in your organization? (Choose two.)

A

Enforcement of the organization’s internet usage policy

An increase in bandwidth availability

55
Q

You are configuring web threat protection on the network and have identified a website that contains malicious content. Which of the following should you configure?

A

Web threat filtering

56
Q

Which of the following types of proxies can be used for web filtering?

A

Transparent

57
Q

You need to limit a compromised application from causing harm to other assets in your network. Which strategy should you employ?

A

Isolation

58
Q

You have detected and identified a security event. What’s the first step you should complete?

A

Containment

59
Q

You need to limit the impact of a security breach for a particular file server with sensitive company data. Which strategy would you employ?

A

Segmentation

60
Q

Which of the following Security Orchestration, Automation, and Response (SOAR) system automation components is often used to document the processes and procedures that are to be used by a human during a manual intervention?

A

Playbook

61
Q

Which of the following roles would be MOST likely to use a protocol analyzer to identify frames that might cause errors?

A

Security operations team

62
Q

As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use?

A

SOAR

63
Q

You would like to enhance your incident-response process and automate as much of it as possible. Which of the following elements would you need to include? (Select two.)

A

Runbooks

Playbooks

64
Q

Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You’d also like to get printed, physical copies of documents. Which tool would you use to gather this information?

A

Legal hold

65
Q

What is the most important element related to evidence in addition to the evidence itself?

A

Chain of custody document

66
Q

The chain of custody is used for which purpose?

A

Listing people coming into contact with the evidence

67
Q

You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this?

A

Chain of custody

68
Q

What is a Chain of Custody?

A

A document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court

69
Q

By default, events received from the source computers in Event Subscription are saved in which log?

A

Forwarded Events log

70
Q

As a security analyst, you are configuring your environment to be able to properly gather digital forensic information. Which of the following must be set up to help create a timeline of events?

A

Make sure all client computers have their time set accurately by a time server

71
Q

Prepare to Document means establishing the process you will use to document your network.

Which of the following makes this documentation more useful?

A

Have a printed hard copy kept in a secure location

72
Q

Which area of focus helps to identify weak network architecture or design?

A

Documentation

73
Q

Documenting procedures and processes are part of which milestone in the NSA’s Manageable Network Plan?

A

Document Your Network

74
Q

When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?

A

Document what is on the screen

75
Q

A forensic investigator gathers potential evidence from many software, hardware, and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of said data.

Place the following items in the correct order of volatility in the gathering of potential evidence.

A

Random Access Memory (RAM)
Swap/page file
Hard drive
Remote logs
Archived data

76
Q

Your computer system is a participant in an asymmetric cryptography system. You’ve created a message to send to another user. Before transmission, you hash the message and encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user.

In this example, which protection does the hashing activity provide?

A

Integrity

77
Q

You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident.
Which method can you use to ensure that the logs you put in storage have not been altered when you use them in the future?

A

Create a hash of each log

78
Q

What does the hashing of log files provide?

A

Proof that the files have not been altered

79
Q

How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?

A

Create a checksum using a hashing algorithm

80
Q

You have downloaded a file from the internet. You generate a hash and check it against the original file’s hash to ensure the file has not been changed.
Which information security goal is this an example of?

A

Integrity