Domain 4.0: Operations and Incident Response Flashcards

1
Q

ping

A

Command-line that tests network connectivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

nmap

A

network scanning tool often used in security audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

netstat

A

Shows network statistics including protocol, source and destination addresses, and connection state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

netcat

A

Network utility for gathering information from transport layer network connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

dig and nslookup

A

Troubleshooting tool that query DNS servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are common command line tools for file display and manipluation?

A

Head, Tail and Cat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Python

A

General-purpose programming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

TCP

A

Packet analyzer tool that captures TCP/IP packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

PowerShell

A

Command-line shell and scripting interface for MS Windows environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are examples of forensic tools?

A

dd, memdump, WinHex, FTK Imager and Autopsy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Where can protocol analyzers be placed in network?

A
  • Placed incline

- In between the devices which you want to capture traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some of most common firewall configuration errors?

A

Permission for traffic to run from any source to any destination

Unnecessary services running

Weak authentication

Log file negligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What problems can misconfigured web content filter can cause?

A
  • Prevent legitimate content

- Allow prohibited content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What should happen before conducting vulnerability or penetration tests?

A

Written authorization should be required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Incident Response plans should include details related to what?

A
  • Incident categorization
  • Preparation
  • Role
  • Responsibilities
  • Reporting requirements
  • Escalation procedures
  • Details on cyber incident response and training exercises
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Incident response process should include the following:

A
  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Post-incident events (e.g. lesson learned).
17
Q

Order of volatility

A

Description of the order in which evidence should be collected. from the most volatile systems to least volatile.

18
Q

Which is considered to be most volatile?

A

Data in RAM and swap or paging files is considered to be most volatile

19
Q

Chain of custody

A

Ensures that evidence is properly handled

20
Q

What type of data acquisition occurs during and after an incident?

A

System images, traffic logs, video, time offset, hashes, screenshots and witness interviews.

21
Q

What should happen when examining computers?

A

Their data and time settings are recorded and compared with current time. They can be used to calculate the difference between the two. The difference is then used as an offset and applied to all the time evidence on the computer.

22
Q

MITRE ATT&CK

A

Framework similar to a kill chain and provides reference for incident response

23
Q

Diamond Model of :Intrusion Analysis

A

They place basic component of malicious activity at one of four points: adversary, infrastructure, capability and victim.

24
Q

Two main approaches for incident response exercises

A

Discussion oriented and stimulation.

25
Q

BCP and COOP

A
BCP = Business Continuity Planning
COOP = Continuity of Operating Plan

They ensure restoration of organizational functions in the shortest possible time, even if services resume at a reduced level of effectiveness or availability.