CompTIA Security+ Get Certified Get Ahead - CH11 Review Flashcards

1
Q

Management within your organization wants to ensure that users understand the Rules of Behavior when they access the organization’s Computer systems and Networks. Which of the following BEST describes what they would implement to meet this requirement?

AUP
NDA
SLA
MSA

A

AUP (Acceptible Use Policy)

Explanation:
An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it defines acceptable rules of behavior.

A non-disclosure agreement (NDA) ensures that individuals do not share proprietary data with others.
A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
A measurement systems analysis (MSA) evaluates the processes and tools used to make measurements.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1065). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Management recently decided to upgrade the organization’s Security policy. Among other items, they want to implement a policy that will reduce the risk of personnel within the organization colluding to embezzle company funds. Which of the following is the BEST choice to meet this need?

AUP
Training
Mandatory Vacations
Background Check

A

Mandatory Vacations

Explanation:
Mandatory vacations help to reduce the possibility of fraud and embezzlement.

An acceptable use policy informs users of company policies, and even though users sign them, they don’t deter someone considering theft by embezzling funds.
Training can help reduce incidents by ensuring personnel are aware of appropriate policies.
A background check is useful before hiring employees, but it doesn’t directly reduce risks related to employees colluding to embezzle funds.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1066). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Lisa is a training instructor, and she maintains a training lab with 16 computers. She has enough rights and permissions on these machines to configure them as needed for classes. However, she does not have the rights to add them to the organization’s domain. Which of the following choices BEST describes the reasoning for this?

Least Privilege
MSA
Diversity of Training
Offboarding

A

Least Privilege

Explanation:
When following the principle of least privilege, individuals have only enough rights and permissions to perform their job. Lisa needs to maintain the training lab, but there is no indication she needs to join the training lab computers to the domain.

A measurement systems analysis (MSA) uses various methods to identify variations within a measurement process and is completely unrelated to this question.
Diversity of training techniques refers to using different training techniques for end users.
Offboarding is the process of removing employees’ access when they leave the company but has nothing to do with the privileges of a training instructor.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1066). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your organization includes a software development division within the IT department. One developer writes and maintains applications for the Sales and Marketing departments. A second developer writes and maintains applications for the Payroll department. Once a year, they switch roles for at least a month. What is the purpose of this practice?

To enforce a separation of duties policy.
To enforce a mandatory vacation policy.
To enforce a job rotation policy.
To enforce an Acceptable Use Policy.

A

To enforce a job rotation policy.

Explanation:
This practice enforces a job rotation policy where employees rotate into different jobs, and it is designed to reduce potential incidents.

A separation of duties policy prevents any single person from performing multiple job functions to help prevent fraud, but it doesn’t force users to switch roles.
A mandatory vacation policy requires employees to take time away from their job.
An acceptable use policy informs users of their responsibilities when using an organization’s equipment.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1066). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your organization recently suffered a costly malware attack. Management wants to take steps to prevent damage from malware in the future. Which of the following phases of common incident response procedures is the BEST phase to address this?

Preparation
Identification
Containment
Eradication

A

Preparation

Explanation:
The preparation phase is the first phase of common incident response procedures and attempts to prevent security incidents.

Incident identification occurs after a potential incident occurs and verifies it is an incident.
Containment attempts to limit the damage by preventing an incident from spreading, but it doesn’t prevent the original incident.
Eradication attempts to remove all malicious elements of an incident after it has been contained.

All six steps in order are preparation, identification, containment, eradication, recovery, and lessons learned.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1067). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An incident response team is following typical incident response procedures. Which of the following phases is the BEST choice for analyzing an incident to identify steps to prevent a reoccurrence of the incident?

Preparation
Identification
Eradication
Lessons Learned

A

Lessons Learned

Explanation:
You should analyze an incident during the lessons learned phase of incident response to identify steps to prevent reoccurrence.

Preparation is a planning step done before an incident, to prevent incidents and identify methods to respond to incidents.
Identification is the first step after hearing about a potential incident to verify it is an incident.
Eradication attempts to remove all malicious elements of an incident after containing it.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1067). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

After a recent cybersecurity incident resulting in a significant loss, your organization decided to create a Security policy for incident response. Which of the following choices is the BEST choice to include in the policy when an incident requires confiscation of a physical asset?

Ensure hashes are taken first.
Maintain the Order of Volatility.
Keep a record of everyone who took possession of the physical asset.
Require interviews of all witnesses present when the asset is confiscated.

A

Keep a record of everyone who took possession of the physical asset.

Explanation:
It’s important to keep a chain of custody for any confiscated physical items, and the chain of custody is a record of everyone who took possession of the asset after it was first confiscated.

Hashes should be taken before capturing an image of a disk, but hashes are not required before confiscating equipment.
Security personnel should be aware of the order of volatility and protect volatile data, but there isn’t any way to maintain the order of volatility.
It’s important to perform interviews of anyone who observed the incident, but it isn’t necessary to interview people who were present when the asset is confiscated.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1067). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A forensic analyst was told of a suspected attack on a Virginia-based web Server from IP Address 72.52.230.233 at 01:23:45 GMT. However, after investigating the logs, he doesn’t see any traffic from that IP at that time. Which of the following is the MOST likely reason why the analyst was unable to identify the traffic?

He did not account for the time offset.
He did not capture an image.
The IP Address has expired.
The logs were erased when the system was rebooted.

A

He did not account for the time offset.

Explanation:
The most likely reason is that he did not account for the time offset. The attack occurred at 01:23:45 Greenwich Mean Time (GMT), which is the same time in London (except when daylight savings time starts). The web server is in the Eastern Standard Time (EST) zone in Virginia, which is five hours different from GMT.

There is no need to capture an image to view logs.
IP addresses on the Internet do not expire.
Logs are written to a hard drive or a central location; they are not erased when a system is rebooted.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1067-1068). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Homer called the Help Desk complaining his computer is giving random errors. Cybersecurity professionals suspect his system is infected with malware and decide to use digital forensic methods to acquire data on his system. Which of the following should be collected before turning the system off? (Choose TWO)

Image of Disk
RAM
OS
ROM
Cache

A

RAM
Cache

Explanation:
Random access memory (RAM) and cache are the most volatile of the items listed and should be collected before the system is turned off.

You can collect an image of the disk and the operating system (OS) after it is powered off.
Read only memory (ROM) will be retained even when the power is removed.

While the swap/pagefile is not listed, it should also be collected. If the system is turned back on after it is turned off, the swap/pagefile will be overwritten.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1068). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

After a recent incident, a forensic analyst was given several hard drives to analyze. Which of the following actions should she take FIRST?

Capture drive images for integrity.
Take hashes for provenance.
Review the logs on the disks.
Create a Chain of Custody Document

A

Take hashes for provenance.

Explanation:
Forensic analysts take hashes to prove provenance of the copy. The hash (or checksum) provides proof that the copy is the same as the original and has not lost integrity.

A drive image shouldn’t be captured before creating a hash, and just having a drive image doesn’t provide integrity or prove that it is the same as the original.
Reviewing any data on an original disk will potentially modify the data so it shouldn’t be done.
A chain of custody document is created when evidence is collected, so it should already exist.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1068). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

** A health care organization manages several hospitals and medical facilities within a state, and they have treated thousands of patients who have suffered from a recent viral outbreak. Doctors from another state are performing studies of this virus and would like to access the information that the health care organization has amassed. Management has authorized the release of this information but has mandated that the data cannot reveal any personal information about patients. Which of the following methos will BEST meet these requirements?

Pseudo-anonymization
Tokenization
Encryption
Masking

A

Masking

Explanation:
Data masking will modify the original data and can be used to hide Personally Identifiable Information (PII). In this scenario, data masking could modify names, addresses, and phone numbers, while retaining medical data such as treatments and outcomes.

Although not available as a choice, anonymization of the data could also meet the requirements.
Pseudo-anonymization replaces some data with pseudonyms, or artificial identifiers, but the process can be reversed to identify the original data, so it isn’t the best choice.
Tokenization replaces data elements with a token, and the token is then used in place of the original data element. Tokenization doesn’t protect identities.
Encryption would convert cleartext into ciphertext making everything unusable by the outside researchers.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1068-1069). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An urban hospital has recently treated hundreds of patients after a viral outbreak. Researchers trying to learn more about the virus have asked the hospital for information on treatment methods they used and their outcomes. The hospital management has asked the IT deparatment to remove all personal information about patients before releasing this data. Which of the following methods will BEST meet this requirement?

Anonymization
Pseudo-anonymization
Tokenization
Data minimization

A

Anonymization

Explanation:
Anonymization of the data would modify it to hide Personally Identifiable Information (PII) and is the best choice of the available options.

Although not available as a choice, data masking could also meet the requirements.
Pseudo-anonymization replaces some data with pseudonyms, or artificial identifiers, but the process can be reversed to identify the original data, so it isn’t the best choice.
Tokenization doesn’t protect identities but instead replaces data elements with a token, and the token can then be used in place of the original data element.
Data minimization refers to data collection and requires organizations to limit the data they collect and use.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1069). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Investigations have shown that several recent security incidents originated after employees responded inapropriately to malicious emails. The IT department has sent out multiple emails describing what to do with these emails, but employees continue to respond inappropriately. The chief information officer has directed the Human Resources department to find an implement a solution that will increase user awareness and reduce these incidents. Which of the following would be the BEST solution?

Offboarding
Least Privilege
Gamification
Role-based Training

A

Gamification

Explanation:
Gamification uses various techniques to increase employee interaction, participation, and understanding of topics. This scenario indicates employees are responding to phishing emails and the IT department has been unsuccessful in getting them to respond to phishing emails appropriately.

Offboarding is the process of removing an employee’s access when they leave the company but firing employees isn’t the best choice here.
A principle of least privilege ensures employees have only enough rights and permissions to perform their job and can temporarily limit an attacker’s access after a successful phishing attack, but it won’t prevent an employee’s actions.
Role-based training gives users specific training based on their role, but this scenario doesn’t indicate the problem is limited to any role.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1069). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Your organization is updating the data policy, and management wants to ensure that employees get training on their responsibilities based on their role. Which of the following BEST describes the responsibilities of data owners and indicates what training they need?

Ensuring data is backed up in afccordance with the data policy.
Ensuring data is classified and labeled correctly.
Complying with laws related to privacy.
Understanding common threats, such as malware and phishing attacks.

A

Ensuring data is classified and labeled correctly.

Explanation:
Owners are responsible for identifying the proper classification of data, ensuring it is labeled correctly, and ensuring security controls are implemented to protect the data.

A data custodian (also called a data steward) is responsible for routine daily tasks such as backing up data.
A data protection officer (DPO) is responsible for ensuring the organization is complying with relevant laws.
End users need to be trained on common threats, such as malware and phishing attacks.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1069-1070). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Organizations that conduct business in the EU must have a position within the organization that can act as an independent advocate for the proper care and use of customer information. Which of the following BEST identifies this position?

Data Owner
Data Custodian
Data Processor
Data Protection Officer

A

Data Protection Officer

Explanation:
The data protection officer (DPO) is a role identified in the General Data Protection Regulation (GDPR), and the GDPR specifies the person in this role needs to act as an independent advocate for customer information.

Data owners are responsible for identifying the proper classification of data, ensuring it is labeled correctly, and ensuring security controls are implemented to protect the data.
A data custodian (also called a data steward) is responsible for routine daily tasks such as backing up data.
A data processor is any entity that uses and manipulates the data.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1070). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your organization is involved in a lawsuit. A judge issued a court order requiring your organization to keep all emails from the last 3 years. Your data retention policy states that email should only be maintained from the last 12 months. After investigating, administrators realize that backups contain email from the last 3 years. What should they do with these backups?

Backups older than 12 months should be deleted to comply with the data retention policy.

Backups for the last 12 months should be protecte dto comply with the legal hold.

Backups for the last 2 years should be protected to comply with the legal hold.

Backups for the last 3 years should be protected to comply with the legal hold.

A

Backups for the last 3 years should be protected to comply with the legal hold.

17
Q

Dan has been working at your company as an accountant. However, after a disagreement with an executive, he decides to leave the company and work at the local mall. He has a user account allowing him to access Network resources. Which of the following is the MOST apporpriate step to take?

Ensure his account is disabled when he announces that he will be leaving the company.

Immediately terminate his employment.

Force him to take a mandatory vacation.

Ensure his account is disabled during his Exit Interview.

A

Ensure his account is disabled during his Exit Interview.

18
Q

Management within your organization wants to ensure that users understand the rules of behavior when they access the organization’s computer systems and Networks. Which of the following BEST describes what they would implement to meet this requirement?

AUP
NDA
BYOD
DD

A

AUP (Acceptible Use Policy)

Explanation:
An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it defines acceptable rules of behavior.

A non- disclosure agreement (NDA) ensures that individuals do not share proprietary data with others.
A bring your own device (BYOD) policy identifies requirements for employee- owned mobile devices.
The dd command (short for data duplicator) is available on Linux systems to copy files or entire disk images. Forensic analysts use it to create an image of a disk without modifying the original disk.

19
Q

Your organization is planning to implement an incident response plan in response to a new incident response Security policy. Which of the following items is the FIRST step in an incident response process?

Preparation
Identification
Containment
Eradication

A

Preparation

Explanation:
Preparation
Identification
Containment
Eradicate
Recovery
Lessons Learned

20
Q

An organization is preparing to hire additional Network administrators. They decide to perform background checks on all personnel after obtaining written permission. Which of the following items is NOT appropriate to include in a background check?

Social Media Presence
Criminal Background
Financial History
Medical History

A

Medical History