Domain 7: Review Questions Flashcards
What is the first step of the incident response process?
A. Respond to the incident.
B. Detect the incident.
C. Report the incident.
D. Recover from the incident.
B.
The steps of the incident response process are as follows:
1. Detect the incident.
2. Respond to the incident.
3. Report the incident to the appropriate personnel.
4. Recover from the incident.
5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.
6. Review the incident and document all findings.
What is the second step of the forensic investigations process?
A. Identification
B. Collection
C. Preservation
D. Examination
C.
The steps of the forensic investigation process are as follows:
1. Identification
2. Preservation
3. Collection
4. Examination
5. Analysis
6. Presentation
7. Decision
Which of the following is not one of the five rules of evidence?
A. Be accurate.
B. Be complete.
C. Be admissible.
D. Be volatile.
D.
The five rules of evidence are as follows:
* Be authentic.
* Be accurate.
* Be complete.
* Be convincing.
* Be admissible.
Which of the following refers to allowing access to users only to the minimum resources required to do their jobs?
A. Job rotation
B. Separation of duties
C. Least privilege
D. Mandatory vacation
C.
When security professionals allow access to resources and assign rights to perform operations, the concept of least privilege should always be applied. In the context of resource access, this means the default level of access should be no access. Users should be given access only to resources required to do their jobs, and that access should require manual implementation after the requirement is verified by a supervisor.
Which of the following is an example of an intangible asset?
A. Disc drive
B. Recipe
C. People
D. Windows server
B.
In many cases, some of the most valuable assets for a company are intangible ones, such as secret recipes, formulas, and trade secrets.
Which of the following is not a step in incident response management?
A. Detect
B. Respond
C. Monitor
D. Report
C.
The steps in incident response management are
1. Detect the incident.
2. Respond to the incident.
3. Mitigate the incident.
4. Report the incident.
5. Recover from the incident.
6. Remediate the incident.
7. Review and document lessons learned.
Which of the following is not a backup type?
A. Full
B. Incremental
C. Grandfather/father/son
D. Transaction log
C. Grandfather/father/son is not a backup type; it is a backup rotation scheme.
In the first in, first out (FIFO) scheme, the newest backup is saved to the oldest media. Although this is the simplest rotation scheme, it does not protect against data errors. If an error in data exists, the organization might not have a version of the data that does not contain the error.
In the grandfather/father/son (GFS) scheme, three sets of backups are defined. Most often these three definitions are daily, weekly, and monthly. The daily backups are the sons, the weekly backups are the fathers, and the monthly backups are the grandfathers. Each week, one son advances to the father set. Each month, one father advances to the grandfather set.
Which term is used for a facility that contains all the resources needed for full operation?
A. Cold site
B. Hot site
C. Warm site
D. Tertiary site
B. A hot site is a leased facility that contains all the resources needed for full operation.
Which electronic backup type stores data on optical discs and uses robotics to load and unload the optical disks as needed?
A. Optical jukebox
B. Hierarchical storage management
C. Tape vaulting
D. Replication
A. An optical jukebox stores data on optical discs and uses robotics to load and unload the optical discs as needed.
What is failsoft?
A. The capacity of a system to switch over to a backup system if a failure in the primary system occurs
B. The capability of a system to terminate noncritical processes when a failure occurs
C. A software product that provides load-balancing services
D. High-capacity storage devices that are connected by a high-speed private network using storage-specific switches
B. Failsoft is the capability of a system to terminate noncritical processes when a failure occurs.
An organization’s firewall is monitoring the outbound flow of information from one network to another. What specific type of monitoring is this?
A. Egress monitoring
B. Continuous monitoring
C. CMaaS
D. Resource provisioning
A. Egress monitoring occurs when an organization monitors the outbound flow of information from one network to another. The most popular form of egress monitoring is carried out using firewalls that monitor and control outbound traffic.
Continuous monitoring and Continuous Monitoring as a Service (CMaaS) are not specific enough to answer this question. Any logging and monitoring activities should be part of an organizational continuous monitoring program. The continuous monitoring program must be designed to meet the needs of the organization and implemented correctly to ensure that the organization’s critical infrastructure is guarded. Organizations may want to look into CMaaS solutions deployed by cloud service providers. Resource provisioning is the process in security operations that ensures that the organization deploys only the assets that it currently needs.
Which of the following are considered virtual assets? (Choose all that apply.)
A. Software-defined networks
B. Virtual storage-area networks
C. Guest OSs deployed on VMs
D. Virtual routers
a, b, c, d.
Virtual assets include software-defined networks (SDNs), virtual storage-area networks (VSANs), guest operating systems deployed on virtual machines (VMs), and virtual routers. As with physical assets, the deployment and decommissioning of virtual assets should be tightly controlled as part of configuration management because virtual assets, like physical assets, can be compromised.
Which of the following describes the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption?
A. Quality of service (QoS)
B. Recovery time objective (RTO)
C. Recovery point objective (RPO)
D. System resilience
D. System resilience is the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption. It involves the use of redundant components or facilities.
Quality of service (QoS) is a technology that manages network resources to ensure a predefined level of service. It assigns traffic priorities to the different types of traffic on a network. A recovery time objective (RTO) stipulates the amount of time an organization needs to recover from a disaster, and a recovery point objective (RPO) stipulates the amount of data an organization can lose when a disaster occurs.
Which of the following are the main factors that affect the selection of an alternate location during the development of a DRP? (Choose all that apply.)
A. Geographic location
B. Organizational needs
C. Location’s cost
D. Location’s restoration effort
a, b, c, d. The main factors that affect the selection of an alternate location during the development of a disaster recovery plan (DRP) include the following:
- Geographic location
- Organizational needs
- Location’s cost
- Location’s restoration effort
Which of the following is a hard-drive technology in which data is written across multiple disks in such a way that when one disk fails, data can be made available from other functioning disks?
A. RAID
B. Clustering
C. Failover
D. Load balancing
A.
Redundant Array of Independent Disks (RAID) is a hard-drive technology in which data is written across multiple disks in such a way that a disk can fail and the data can be quickly made available from remaining disks in the array without restoring from a backup tape or other backup media. Clustering refers to a software product that provides load-balancing services. With clustering, one instance of an application server acts as a master controller and distributes requests to multiple instances using round-robin, weighted round-robin, or least-connections algorithms. Failover is the capacity of a system to switch over to a backup system if a failure in the primary system occurs. Load balancing refers to a hardware product that provides load-balancing services. Application delivery controllers (ADCs) support the same algorithms but also use complex number-crunching processes, such as per-server CPU and memory utilization, fastest response times, and so on, to adjust the balance of the load. Load-balancing solutions are also referred to as farms or pools
You need to record incoming and outgoing network traffic information in order to determine the origin of an attack. Which of the following logs would be appropriate for this purpose?
A. System log
B. Application log
C. Firewall log
D. Change log
C.
Firewall logs record network traffic information, including incoming and outgoing traffic. This usually includes important data, such as IP addresses and port numbers that can be used to determine the origin of an attack. System logs record system events, such as system and service startup and shutdown. Applications logs record actions that occur within a specific application. Change logs report changes made to a specific device or application as part of the change management process.
What should you perform on all information accepted into a system to ensure that it is of the right data type and format and that it does not place the system in an insecure state?
A. Clipping levels
B. Two-person control
C. Access review audits
D. Input validation
D.
The main thrust of input/output control is to apply controls or checks to the input that is allowed to be submitted to the system. Performing input validation on all information accepted into the system can ensure that it is of the right data type and format and that it does not leave the system in an insecure state. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred. A two-person control, also referred to as a two-man rule, occurs when certain access and actions require the presence of two authorized people at all times. Access review audits ensure that object access and user account management practices adhere to the organization’s security policy.
Which of the following defenses would you implement to discourage a determined intruder?
A. 3 to 4 feet tall fence
B. 6 to 7 feet tall fence
C. 8 feet and taller fence
D. Geo-fence
C.
Fencing is the first line of defense in the concentric circle paradigm. When selecting the type of fencing to install, consider the determination of the individuals you are trying to discourage. Use the following guidelines with respect to height:
* Fences 3 to 4 feet tall deter only casual intruders.
* Fences 6 to 7 feet tall are too tall to climb easily.
* Fences 8 feet and taller deter more determined intruders, especially when those fences are augmented with razor wire.
A geo-fence is a geographic area within which devices are managed using some sort of radio frequency communication. It is used to track users or devices entering or leaving the geo-fence area.
Which of the following actions could you perform to logically harden a system? (Choose all that apply.)
A. Remove unnecessary applications.
B. Disable unnecessary services.
C. Block unused ports.
D. Tightly control the connecting of external storage devices and media.
a, b, c, d.
An ongoing goal of operations security is to ensure that all systems have been hardened to the extent that is possible and still provide functionality. The following actions can be performed to logically harden a system:
* Remove unnecessary applications.
* Disable unnecessary services.
* Block unused ports.
* Tightly control the connecting of external storage devices and media if it’s allowed at all.
Mary is reviewing the availability controls for the system architecture shown here. What technology is shown that provides fault tolerance for the database servers?
A. Failover cluster
B. UPS
C. Tape backup
D. Cold site
A.
The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.
Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?
A. Read only
B. Editor
C. Administrator
D. No access
D.
The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.
When one of the employees of Alice’s company calls in for support, she uses a code word that the company agreed to use if employees were being forced to perform an action. What is this scenario called?
A. Social engineering
B. Duress
C. Force majeure
D. Stockholm syndrome
B.
Duress, or being under threat of violence or other constraints, is a concern for organizations such as banks, jewelry stores, or other organizations where an attacker may attempt to force an employee to perform actions. Organizations that expect that a scenario like this may occur will often use duress code words that let others know that they are performing actions under threat.
Tim is configuring a privileged account management solution for his organization. Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?
A. Purging log entries
B. Restoring a system from backup
C. Logging into a workstation
D. Managing user accounts
C.
While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.
Jordan is preparing to bring evidence into court after a cybersecurity incident investigation. He is responsible for preparing the physical artifacts, including affected servers and mobile devices. What type of evidence consists entirely of tangible items that may be brought into a court of law?
A. Documentary evidence
B. Parol evidence
C. Testimonial evidence
D. Real evidence
D.
Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.