Domain 7: Review Questions

Question 1

What is the first step of the incident response process?

A. Respond to the incident.
B. Detect the incident.
C. Report the incident.
D. Recover from the incident.

Answer 1

B.

The steps of the incident response process are as follows:
1. Detect the incident.
2. Respond to the incident.
3. Report the incident to the appropriate personnel.
4. Recover from the incident.
5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.
6. Review the incident and document all findings.

Question 2

What is the second step of the forensic investigations process?

A. Identification
B. Collection
C. Preservation
D. Examination

Answer 2

C.

The steps of the forensic investigation process are as follows:
1. Identification
2. Preservation
3. Collection
4. Examination
5. Analysis
6. Presentation
7. Decision

Question 3

Which of the following is not one of the five rules of evidence?

A. Be accurate.
B. Be complete.
C. Be admissible.
D. Be volatile.

Answer 3

D.

The five rules of evidence are as follows:
* Be authentic.
* Be accurate.
* Be complete.
* Be convincing.
* Be admissible.

Question 4

Which of the following refers to allowing access to users only to the minimum resources required to do their jobs?

A. Job rotation
B. Separation of duties
C. Least privilege
D. Mandatory vacation

Answer 4

C. When security professionals allow access to resources and assign rights to perform operations, the concept of least privilege should always be applied. In the context of resource access, this means the default level of access should be no access. Users should be given access only to resources required to do their jobs, and that access should require manual implementation after the requirement is verified by a supervisor.

Question 5

Which of the following is an example of an intangible asset?

A. Disc drive
B. Recipe
C. People
D. Windows server

Answer 5

B. In many cases, some of the most valuable assets for a company are intangible ones, such as secret recipes, formulas, and trade secrets.

Question 6

Which of the following is not a step in incident response management?

A. Detect
B. Respond
C. Monitor
D. Report

Answer 6

C.

The steps in incident response management are
1. Detect the incident.
2. Respond to the incident.
3. Mitigate the incident.
4. Report the incident.
5. Recover from the incident.
6. Remediate the incident.
7. Review and document lessons learned.

Question 7

Which of the following is not a backup type?

A. Full
B. Incremental
C. Grandfather/father/son
D. Transaction log

Answer 7

C. Grandfather/father/son is not a backup type; it is a backup rotation scheme.

Question 8

Which term is used for a facility that contains all the resources needed for full operation?

A. Cold site
B. Hot site
C. Warm site
D. Tertiary site

Answer 8

B. A hot site is a leased facility that contains all the resources needed for full operation.

Question 9

Which electronic backup type stores data on optical discs and uses robotics to load and unload the optical disks as needed?

A. Optical jukebox
B. Hierarchical storage management
C. Tape vaulting
D. Replication

Answer 9

A. An optical jukebox stores data on optical discs and uses robotics to load and unload the optical discs as needed.

Question 10

What is failsoft?

A. The capacity of a system to switch over to a backup system if a failure in the primary system occurs
B. The capability of a system to terminate noncritical processes when a failure occurs
C. A software product that provides load-balancing services
D. High-capacity storage devices that are connected by a high-speed private network using storage-specific switches

Answer 10

B. Failsoft is the capability of a system to terminate noncritical processes when a failure occurs.

Question 11

An organization’s firewall is monitoring the outbound flow of information from one network to another. What specific type of monitoring is this?

A. Egress monitoring
B. Continuous monitoring
C. CMaaS
D. Resource provisioning

Answer 11

A. Egress monitoring occurs when an organization monitors the outbound flow of information from one network to another. The most popular form of egress monitoring is carried out using firewalls that monitor and control outbound traffic.

Continuous monitoring and Continuous Monitoring as a Service (CMaaS) are not specific enough to answer this question. Any logging and monitoring activities should be part of an organizational continuous monitoring program. The continuous monitoring program must be designed to meet the needs of the organization and implemented correctly to ensure that the organization’s critical infrastructure is guarded. Organizations may want to look into CMaaS solutions deployed by cloud service providers. Resource provisioning is the process in security operations that ensures that the organization deploys only the assets that it currently needs.

Question 12

Which of the following are considered virtual assets? (Choose all that apply.)

A. Software-defined networks
B. Virtual storage-area networks
C. Guest OSs deployed on VMs
D. Virtual routers

Answer 12

a, b, c, d.

Virtual assets include software-defined networks (SDNs), virtual storage-area networks (VSANs), guest operating systems deployed on virtual machines (VMs), and virtual routers. As with physical assets, the deployment and decommissioning of virtual assets should be tightly controlled as part of configuration management because virtual assets, like physical assets, can be compromised.

Question 13

Which of the following describes the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption?

A. Quality of service (QoS)
B. Recovery time objective (RTO)
C. Recovery point objective (RPO)
D. System resilience

Answer 13

D. System resilience is the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption. It involves the use of redundant components or facilities.

Quality of service (QoS) is a technology that manages network resources to ensure a predefined level of service. It assigns traffic priorities to the different types of traffic on a network. A recovery time objective (RTO) stipulates the amount of time an organization needs to recover from a disaster, and a recovery point objective (RPO) stipulates the amount of data an organization can lose when a disaster occurs.

Question 14

Which of the following are the main factors that affect the selection of an alternate location during the development of a DRP? (Choose all that apply.)

A. Geographic location
B. Organizational needs
C. Location’s cost
D. Location’s restoration effort

Answer 14

a, b, c, d. The main factors that affect the selection of an alternate location during the development of a disaster recovery plan (DRP) include the following:

• Geographic location
• Organizational needs
• Location’s cost
• Location’s restoration effort

Question 15

Which of the following is a hard-drive technology in which data is written across multiple disks in such a way that when one disk fails, data can be made available from other functioning disks?

A. RAID
B. Clustering
C. Failover
D. Load balancing

Answer 15

A. Redundant Array of Independent Disks (RAID) is a hard-drive technology in which data is written across multiple disks in such a way that a disk can fail and the data can be quickly made available from remaining disks in the array without restoring from a backup tape or other backup media. Clustering refers to a software product that provides load-balancing services. With clustering, one instance of an application server acts as a master controller and distributes requests to multiple instances using round-robin, weighted round-robin, or least-connections algorithms. Failover is the capacity of a system to switch over to a backup system if a failure in the primary system occurs. Load balancing refers to a hardware product that provides load-balancing services. Application delivery controllers (ADCs) support the same algorithms but also use complex number-crunching processes, such as per-server CPU and memory utilization, fastest response times, and so on, to adjust the balance of the load. Load-balancing solutions are also referred to as farms or pools

Question 16

You need to record incoming and outgoing network traffic information in order to determine the origin of an attack. Which of the following logs would be appropriate for this purpose?

A. System log
B. Application log
C. Firewall log
D. Change log

Answer 16

C. Firewall logs record network traffic information, including incoming and outgoing traffic. This usually includes important data, such as IP addresses and port numbers that can be used to determine the origin of an attack. System logs record system events, such as system and service startup and shutdown. Applications logs record actions that occur within a specific application. Change logs report changes made to a specific device or application as part of the change management process.

Question 17

What should you perform on all information accepted into a system to ensure that it is of the right data type and format and that it does not place the system in an insecure state?

A. Clipping levels
B. Two-person control
C. Access review audits
D. Input validation

Answer 17

D. The main thrust of input/output control is to apply controls or checks to the input that is allowed to be submitted to the system. Performing input validation on all information accepted into the system can ensure that it is of the right data type and format and that it does not leave the system in an insecure state. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred. A two-person control, also referred to as a two-man rule, occurs when certain access and actions require the presence of two authorized people at all times. Access review audits ensure that object access and user account management practices adhere to the organization’s security policy.

Question 18

Which of the following defenses would you implement to discourage a determined intruder?

A. 3 to 4 feet tall fence
B. 6 to 7 feet tall fence
C. 8 feet and taller fence
D. Geo-fence

Answer 18

C.

Fencing is the first line of defense in the concentric circle paradigm. When selecting the type of fencing to install, consider the determination of the individuals you are trying to discourage. Use the following guidelines with respect to height:
* Fences 3 to 4 feet tall deter only casual intruders.
* Fences 6 to 7 feet tall are too tall to climb easily.
* Fences 8 feet and taller deter more determined intruders, especially when those fences are augmented with razor wire.
A geo-fence is a geographic area within which devices are managed using some sort of radio frequency communication. It is used to track users or devices entering or leaving the geo-fence area.

Question 19

Which of the following actions could you perform to logically harden a system? (Choose all that apply.)

A. Remove unnecessary applications.
B. Disable unnecessary services.
C. Block unused ports.
D. Tightly control the connecting of external storage devices and media.

Answer 19

a, b, c, d.

An ongoing goal of operations security is to ensure that all systems have been hardened to the extent that is possible and still provide functionality. The following actions can be performed to logically harden a system:
* Remove unnecessary applications.
* Disable unnecessary services.
* Block unused ports.
* Tightly control the connecting of external storage devices and media if it’s allowed at all.