Chapter 12 Flashcards
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?
See who is connected to the access point and attempt to find the attacker.
Run a packet sniffer to monitor traffic to and from the access point.
Disconnect the access point from the network.
Connect to the access point and examine its logs for information.
Disconnect the access point from the network.
You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?
Stop all running processes.
Turn off the system.
Remove the hard drive.
Document what is on the screen.
Document what is on the screen.
When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?
Stop all running processes.
Turn off the system.
Remove the hard drive.
Document what is on the screen.
Document what is on the screen.
What is the best definition of a security incident?
Interruption of productivity
Compromise of the CIA
Criminal activity
Violation of a security policy
Violation of a security policy
What is the purpose of audit trails?
To detect security-violating events.
To correct system problems.
To prevent security breaches.
To restore systems to normal operations.
To detect security-violating events.
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next?
Deploy new countermeasures.
Back up all logs and audits regarding the incident.
Restore and repair any damage.
Update the security policy.
Back up all logs and audits regarding the incident.
Which of the following is an important aspect of evidence-gathering?
Restore damaged data from backup media.
Monitor user access to compromised systems.
Back up all log files and audit trails.
Purge transaction logs.
Back up all log files and audit trails.
As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it?
Mitre Att@ck
Diamond Model of Intrusion Analysis
Cyber Kill Chain
Communication plan with stakeholders
Mitre Att@ck
As a security analyst, you have discovered the victims of an malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims? (Select two.)
Disaster recovery plan
Mitre Att@cks
Cyber Kill Chain
Implement appropriate stakeholder management
Diamond Model of Intrusion Analysis
Mitre Att@cks
Diamond Model of Intrusion Analysis
You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management. Which of the following documents should you create for this purpose?
Disaster recovery plan
Incident-response team charter
Business continuity plan
Communication plan
Business continuity plan
Your browser has blocked your from your crucial secure intranet sites. What could be the problem?
You are using HTTP instead of HTTPS.
Your SSL certificate status has been revoked.
You misconfigured a content filter.
The firewall administrator set up a rule that blocked the users.
Your SSL certificate status has been revoked.
You would like to make sure users are not accessing inappropriate content online at work. Which endpoint security strategy would you employ?
Content filtering
URL filters
Firewall rules
Mobile device management (MDM)
Content filtering
You want to allow RDP 3389 traffic into your network for a group of users to access a particular workstation that has a special application in your office. Which endpoint security tool would you use to make this happen?
URL filters
Firewall rules
Data monitoring apps
Content filters
Firewall rules
You need to remotely wipe an android phone for one of your rogue users. Which endpoint tool would you use?
Mobile application management (MAM)
Quarantining
MAM-WE
Mobile device management (MDM)
Mobile device management (MDM)
This application endpoint-protection rule implicitly denies unless added to the rule. Which of the following processes describes this?
Content filtering
Blacklisting
Quarantining
Whitelisting
Whitelisting
You would like to enhance your incident-response process and automate as much of it as possible. Which of the following elements would you need to include? (Select two.)
Blacklisting
Runbooks
Quarantining
Whitelisting
Playbooks
Runbooks
Playbooks
You have detected and identified a security event. What’s the first step you should complete?
Containment
Segmentation
Isolation
Playbook
Containment
You need to limit a compromised application from causing harm to other assets in your network. Which strategy should you employ?
SOAR
Isolation
Segmentation
Containment
Isolation
You need to limit the impact of a security breach for a particular file server with sensitive company data. Which strategy would you employ?
Containment
Isolation
Segmentation
SOAR
Segmentation
As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use?
SOAR
MDM
GDPR
MAM
SOAR
Which of the following components are the SIEM’s way of letting the IT team know that a pre-established parameter is not within the acceptable range?
Dashboard
Trends
Sensors
Alerts
Alerts
Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis?
Security log
Network log
Firewall log
Application log
Application log
You suspect cache poisoning or spoofing has occurred on your network. Users are complaining of strange web results and being redirected to undesirable sites. Which log would help you determine what is going on?
Application logs
Security logs
DNS logs
Network logs
DNS logs
You suspect a bad video driver is causing a user’s system to randomly crash and reboot. Where would you go to identify and confirm your suspicions?
Application logs
SIP logs
Dump files
Syslog
Dump files
Which of the following is a standard for sending log messages to a central logging server?
Syslog
OVAL
Nmap
LC4
Syslog
You are concerned that an attacker can gain access to your web server, make modifications to the system, and alter the log files to hide his or her actions. Which of the following actions would best protect the log files?
Use syslog to send log entries to another server.
Configure permissions on the log files to prevent access.
Take a hash of the log files.
Encrypt the log files.
Use syslog to send log entries to another server.
Over the past few days, a server has gone offline and rebooted automatically several times. You would like to see a record of when each of these restarts has occurred.
Which log type should you check?
Security
System
Performance
Firewall
System
Which log file type is one of the most tedious to parse but can tell you exactly when users log onto your site and what their location is?
Web server logs
System logs
Event logs
Authentication logs
Web server logs
You would like to get a feel for the amount of bandwidth you are using in your network. What is the first thing you should do?
Create data points.
Choose a protocol.
Set intervals.
Establish a baseline.
Establish a baseline.
You are worried about email spoofing. What can be put throughout an email’s header that provides the originating email account or IP address and not a spoofed one?
Timestamp
Data points
Metadata
X-headers
X-headers
Which two types of service accounts must you use to set up event subscriptions?
Local event administrators account
Collector computer account
Network server machine account
Default machine account
Specific user service account
Default machine account
Specific user service account
By default, events received from the source computers in Event Subscription are saved in which log?
Application log
Forwarded Events log
Security log
System log
Forwarded Events log
You set up Event Subscription, but you are getting an overwhelming amount of events recorded. What should you do?
Use the Runtime Status link
Define a filter
Choose the correct subscription type
Use the default machine account
Define a filter
Which of the following are required to configure Event Subscription for event forwarding? (Select three.)
Start Windows Event Collector service on collector computer.
Give the subscription a name.
Start Windows Remote Management service on both the source and collector computers.
Configure the destination log.
Configure Runtime Status.
Create a Windows firewall exception for HTTP or HTTPS on all source computers.
Create a filter.
Start Windows Event Collector service on collector computer.
Start Windows Remote Management service on both the source and collector computers.
Create a Windows firewall exception for HTTP or HTTPS on all source computers.
You are configuring a source-initiated subscription on the collector computer in Event Viewer. Which of the following do you need to specify?
Computer
Content filter
System log
Computer group
Computer group
For some reason, your source computers are not communicating properly with the collector. Which tool would you use to verify communications?
Run winrm qc -q
Runtime Status
Event Viewer System log
Run wecutil qc
Runtime Status
For source-initiated subscriptions, which tool do you use to configure event forwarding?
Filter settings
Group Policy
Service account
Event Viewer
Group Policy
You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ?
HTTP or HTTPS
Event forwarding
Source-initiated
Collector-initiated
Source-initiated
You want to set up a collector-initiated environment for event subscriptions. Which commands would you run? (Select two.)
Run wecutil qc /q on the source computer
Run winrm qc -q on the source computer.
Run wecutil qc on the collector computer.
Run winrm qc /q on the collector computer.
Run wecutil qc on the source computer
Run winrm qc -q on the collector computer.
Run winrm qc -q on the source computer.
Run wecutil qc on the collector computer.
You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription?
Event Viewer
Computer Management
Device Manager
Local Group Policy
Event Viewer
What is the most important element related to evidence in addition to the evidence itself?
Completeness
Witness testimony
Chain of custody document
Photographs of the crime scene
Chain of custody document
The chain of custody is used for which purpose?
Listing people coming into contact with the evidence
Retaining evidence integrity
Identifying the owner of the evidence
Detailing the timeline between creation and discovery of evidence
Listing people coming into contact with the evidence
You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this?
Rules of evidence
CPS (certificate practice statement)
Chain of custody
FIPS-140
Chain of custody
How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?
Write a log file to the media
Enable write protection
Create a checksum using a hashing algorithm
Reset the file attributes on the media to read-only
Create a checksum using a hashing algorithm
As a security analyst, you are configuring your environment to be able to properly gather digital forensic information. Which of the following must be set up to help create a timeline of events?
Create a solid chain of custody that proves that no evidence-tampering has occurred.
Create tags for all your IT assets so that they are easily identifiable and trackable.
Make sure all client computers have their time set accurately by a time server.
Create a report template that helps you describe the incident, how the evidence was analyzed, and the conclusions you came to.
Make sure all client computers have their time set accurately by a time server.
You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you use them in the future?
Encrypt the logs.
Create a hash of each log.
Make two copies of each log and store each copy in a different location.
Store the logs in an offsite facility.
Create a hash of each log.
What does the hashing of log files provide?
Prevention of log files being altered or overwritten
Proof that the files have not been altered
Sequencing of files and log entries to recreate a timeline of events
Prevention of the system running when the log files are full
Confidentiality to prevent unauthorized reading of the files
Proof that the files have not been altered
Which method can you use to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence?
Photographs
File directory listing
Serial number notation
Hashing
Hashing
Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You’d also like to get printed, physical copies of documents. Which tool would you use to gather this information?
Legal hold
Timestamps
Timeline of events
Chain of custody
Legal hold
A forensic investigator gathers potential evidence from many software, hardware, and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of said data.
Place the following items in the correct order of volatility in the gathering of potential evidence. (1-5)
Swap/page file
RAM
Remote logs
Hard Drive
Archived data
- RAM
- Swap/page file
- Hard drive
- Remote logs
- Archived data
You need to find the text string New Haven in 100 documents in a folder structure on a Linux server. Which command would you use?
grep
tail
head
chmod
grep
You would like to add some entries into the system log file. Which command would you use?
cat
logger
grep
chmod
logger
You would like to see only the last 15 lines of /home/user/logfile on your Linux machine. Which command line interface (CLI) command would you use?
head -n 15 /home/user/logfile
tail -n 15 /home/user/logfile
tail -f /home/user/logfile
cat -n 15 /home/user/logfile
tail -n 15 /home/user/logfile
A conditional statement that selects the statements to run depending on whether an expression is true or false is known as which of the following?
If else statement
If statement
Else statement
Else if statement
If else statement
Which of the following BEST describes a constant?
A sequence of characters.
A group of related data values or elements.
A named unit of data that is assigned a value.
Data or a value that does not change.
Data or a value that does not change.
!= or <> refers to Not Equal in which scripting language?
PowerShell
Bash
Python
PuTTY
Python
Which of the following BEST describes PuTTy?
A mechanism that allows you to interact with the operating system directly.
Open-source software that is developed and supported by a group of volunteers.
A method that provides an encryption standard that’s widely used by internet websites.
A programming language for a special runtime environment that automates the execution of tasks.
Open-source software that is developed and supported by a group of volunteers.
Match each network sniffing method with the correct definition.
MAC spoofing
-Allows an attacker’s computer to connect to a switch using an authorized MAC address.
-The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.
-The MAC address of the attacker can be associated with the IP address of another host.
-Creates a duplicate of all network traffic on a port and sends it to another device.
Allows an attacker’s computer to connect to a switch using an authorized MAC address.
Match each network sniffing method with the correct definition.
Port mirroring
-Allows an attacker’s computer to connect to a switch using an authorized MAC address.
-The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.
-The MAC address of the attacker can be associated with the IP address of another host.
-Creates a duplicate of all network traffic on a port and sends it to another device.
Creates a duplicate of all network traffic on a port and sends it to another device.
Match each network sniffing method with the correct definition.
ARP poisoning
-Allows an attacker’s computer to connect to a switch using an authorized MAC address.
-The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.
-The MAC address of the attacker can be associated with the IP address of another host.
-Creates a duplicate of all network traffic on a port and sends it to another device.
The MAC address of the attacker can be associated with the IP address of another host.
Match each network sniffing method with the correct definition.
MAC flooding
-Allows an attacker’s computer to connect to a switch using an authorized MAC address.
-The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.
-The MAC address of the attacker can be associated with the IP address of another host.
-Creates a duplicate of all network traffic on a port and sends it to another device.
The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.
For some reason, when you capture packets as part of your monitoring, you aren’t seeing much traffic. What could be the reason?
You have multiple MAC addresses associated with one NIC.
Your NIC is set to broadcasting instead of receiving.
You forgot to turn on promiscuous mode for the network interface.
Your machine is set to only capture HTTP packets.
You forgot to turn on promiscuous mode for the network interface.
You would like to simulate an attack on your network so you can test defense equipment and discover vulnerabilities in order to mitigate risk. Which tool would you use to simulate all the packets of an attack?
Etherflood
Wireshark
TCPDump
TCPReplay
TCPReplay
Which of the following is a recovery site that may have electricity connected, but there are no servers installed and no high-speed data lines present?
Hot site
Reciprocal agreement
Warm site
Cold site
Cold site
To prevent server downtime, which of the following components should be installed redundantly in a server system?
Power supply
CD or DVD drive
RAM modules
Floppy disk drive
Power supply
You have been asked to deploy a network solution that includes an alternate location where operational recovery is provided within minutes of a disaster. Which of the following strategies would you choose?
Cold site
Warm site
Hot site
Hot spare
Hot site
What is the primary security feature that can be designed into a network’s infrastructure to protect and support availability?
Switches instead of hubs
Periodic backups
Fiber optic cables
Redundancy
Redundancy
Daily backups are completed at the ABD company location, and only a weekly backup is maintained at another network location. Which of the following disaster recovery strategies is ABD using?
Cold site
Hot spare
Warm site
Hot site
Warm site
Which of the following disk configurations might sustain losing two disks? (Select two.)
RAID 1
RAID 1+0
RAID 0+1
RAID 5
RAID 0
RAID 1+0
RAID 0+1
You have a computer with three hard disks. A RAID 0 volume uses space on Disk 1 and Disk 2. A RAID 1 volume uses space on Disk 2 and Disk 3.
Disk 2 fails. Which of the following is true?
Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not.
Data on the RAID 0 volume is accessible; data on the RAID 1 volume is not.
Data on both volumes is not accessible.
Data on both volumes is still accessible.
Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not.
Which of the following drive configurations is fault tolerant?
RAID 0
RAID 5
Disk striping
Expanded volume set
RAID 5
You have been asked to implement a RAID 5 solution for your network. What is the minimum number of hard disks that can be used to configure RAID 5?
2
3
4
5
6
3
Which of the following network strategies connects multiple servers together so that if one server fails, the others immediately take over its tasks, preventing a disruption in service?
Clustering
Adapter bonding
Storage Area Networks (SANs)
Mirroring
Clustering
A system failure has occurred. Which of the following restoration processes would result in the fastest restoration of all data to its most current state?
Restore the full backup and all differential backups
Restore the full backup and all incremental backups
Restore the full backup and the last incremental backup
Restore the full backup and the last differential backup
Restore the full backup and the last differential backup
Your disaster recovery plan calls for backup media to be stored at a different location. The location is a safe deposit box at the local bank. Because of this, the disaster recovery plan specifies that you choose a method that uses the least amount of backup media, but also allows you to quickly back up and restore files.
Which backup strategy would BEST meet the disaster recovery plan?
Perform a full backup each day of the week.
Perform a full backup once per week and an incremental backup the other days of the week.
Perform a full backup once per year and a differential backup for the rest of the days in the year.
Perform a full backup once per month and an incremental backup the other days of the month.
Perform a full backup once per week and a differential backup the other days of the week.
Perform a full backup once per week and a differential backup the other days of the week.
Your network uses the following backup strategy:
Full backups every Sunday night
Differential backups Monday night through Saturday night
On Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?
1
2
3
4
5
2
Which backup strategy backs up all files from a computer’s file system, regardless of whether the file’s archive bit is set or not, and then marks them as backed up?
Full
Copy
Differential
Incremental
Full
Your network performs a full backup every night. Each Sunday, the previous night’s backup tape is archived.
On a Wednesday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?
1
2
3
4
5
6
1
Which of the following describes a system image backup? (Select two.)
A system image only contains the operating system, installed programs, drivers, and user profile settings.
A system image does not include operating system files, program files, encrypted files, files in the Recycle Bin, user profile settings, or temporary files.
A system image includes only specified files and folders backed up to a compressed file.
A system image backup consists of an entire volume backed up to .vhd files.
A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files.
A system image backup consists of an entire volume backed up to .vhd files.
A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files.
Which of the following are backed up during an incremental backup?
Only files that have changed since the last full or differential backup.
Only files that have changed since the last full backup.
Only files that are new since the last full or incremental backup.
Only files that have changed since the last full or incremental backup.
Only files that have changed since the last full or incremental backup.
Which of the following is true of an incremental backup’s process?
Backs up all files regardless of the archive bit and resets the archive bit.
Backs up all files with the archive bit set and does not reset the archive bit.
Backs up all files with the archive bit set and resets the archive bit.
Backs up all files regardless of the archive bit and does not reset the archive bit.
Backs up all files with the archive bit set and resets the archive bit.
Your network uses the following backup strategy:
Full backups every Sunday night
Incremental backups Monday night through Saturday night
On a Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?
1
2
3
4
5
4
Why should backup media be stored offsite?
To reduce the possibility of theft
To prevent the same disaster from affecting both the network and the backup media
To comply with government regulation
To improve the efficiency of the restoration process
To prevent the same disaster from affecting both the network and the backup media
