Module 13: Incident Preparation, Response, & Investigation Q Flashcards
While talking to a new client, the client asked you why access control is mostly used in enterprise networks rather than home networks.
How should you reply?
An enterprise network will have more sensitive and confidential information
When multiple individuals could potentially have access to sensitive information in an enterprise, access control is essential
Who implements access control based on the security level determined by the data owner?
Data custodian
Data custodians, or stewards, implement access control based on the security level determined by the data owner
You are working as a security admin in an enterprise and have been asked to choose an access control method so that all users can access multiple systems without crossing their limit of access. Which of the following access control methods is the best fit?
Rule-based access control
Rule-based access control is the best fit in this case, as rule-based access control dynamically assigns roles to subjects based on a set of rules defined by a custodian
Which of the following access control schemes is most secure?
Mandatory access control
MAC is the most restrictive and most secure access control scheme, as the end user has no control over the objects
In a security meeting, you are asked to suggest access control schemes in which you have high flexibility when configuring access to the enterprise resources.
Which of the following should you suggest?
Attribute-based access control
Attribute-based access control is highly flexible, as it uses policies that can combine different attributes
The devices in your enterprise are configured with mandatory access control in which salaries.xlsx is labeled “secret,” transactions.xlsx is labeled “top secret,” and employees.xlsx is labeled “confidential.” You were asked to configure the user clearance so that User A can access all three files, while User B can only access employees.xlsx.
How should you configure the user clearance?
User A: top secret; User B: confidential
Top secret clearance allows User A to access all three files, and confidential clearance only allows User B to access employees.xlsx
Who ensures the enterprise complies with data privacy laws and its own privacy policies?
Data privacy officer
The data privacy officer oversees data privacy compliance and manages data risk
Which of the following access management controls best fits a home network?
Discretionary access control
DAS best fits a home network since it can be easily managed, and there are fewer restrictions imposed on home networks
Windows switches to Secure Desktop Mode when the UAC prompt appears. What is the objective of Secure Desktop Mode?
To prevent malware from tricking users by spoofing what appears on the screen
Secure Desktop Mode allows only integrity level system-trusted processes to run. This prevents malware from spoofing what appears on the screen to trick users
You are working as a security administrator. Your enterprise has asked you to choose an access control scheme in which a user is authorized to access the resources if the user has a specific attribute and denied if they don’t.
Which of the following access control schemes should you choose?
Attribute-based access control
Attribute-based access control rules can be formatted using an if-then-else structure
You are a data steward. You have been asked to restrict User A, who has an access clearance of “top secret” in a MAC-enabled network, from accessing files with the access label “secret.” This, in turn, does not affect any other user.
What action should you take?
Change the access clearance of User A to “confidential”
Changing User A’s access clearance to “confidential” will restrict User A from accessing “secret” files
You are a senior security admin in your enterprise. You have been asked to perform an incident response exercise so that you and your colleagues can analyze every possible scenario in case of an attack in the most realistic manner.
Which of the following actions should you take?
You should run a plausible simulated attack on the network
Simulating an attack using a realistic scenario allows for the most realistic analysis of every possible attack scenario
Which of the following attack frameworks illustrate that attacks are an integrated end-to-end process, and disrupting any one of the steps will interrupt the entire attack process?
Cyber Kill Chain
Cyber Kill Chain illustrates that attacks are an integrated end-to-end process, and disrupting any one of the steps will interrupt the entire attack process
In a security review meeting, you are asked to make sure that the cybersecurity team is constantly updated on the tactics used by threat actors when they interact with systems during an attack. To which of the following attack frameworks will you refer to meet the goal?
MITRE ATT&CK
MITRE ATT&CK is a knowledge base of attacker techniques that have been broken down and classified in detail. MITRE ATT&CK focuses on how threat actors interact with systems during an operation
Containment is most effective when the network is properly designed. Which of the following contributes to effective network design?
Network segmentation
Network segmentation helps contain attacks in properly designed networks
In a security meeting, you were asked about which response method would require less manual intervention per response. Which of the following should you choose?
Runbook
A runbook is a series of automated conditional steps that are part of an incident response procedure. A runbook usually has actions that are performed automatically
Which of the following is performed during the incident response phase?
Making configuration changes
Making configuration changes to firewall rules, digital certificates, content/URL filters, data loss prevention settings, and mobile device management settings is part of the incident response phase. This is done to reduce the effect of or contain an attack
A security breach recently occurred in your enterprise. During the incident investigation, you are asked to examine network-based device logs. Which of the following network devices should you examine first?
Firewall
Firewall log files should be examined first, as the firewall is the primary network device through which traffic passes
Which of the following network-based device logs are the least important when performing an incident investigation?
Routers and Switches
Router and switch log files are the least important, as they cannot be directly targeted by outside attackers. Malicious traffic reaches routers and switches only after breaching all other security devices
Your enterprise devices are configured with mandatory access control. How should you control user access so that files with a “top secret” label cannot be accessed by any users while “secret” files remain accessible?
You should set the clearance of all users to “secret.”
When user clearance is set to “secret,” users cannot access “top secret” files but can still access “secret” files
You are a cybersecurity forensic analyst. When conducting an investigation, which of the following actions should you perform first to ensure the highest chance of success in the investigation?
Secure the evidence
Immediately following a security breach, a digital forensic expert must secure the scene by securing evidence
You are performing digital forensics in an enterprise that recently experienced a security breach. You successfully retrieved all volatile data, and your next focus is hard drives. How should you collect evidence from the hard drives without tainting any evidence?
Use mirror image backups
Mirror image backups replicate every hard drive sector, including all files and any hidden data storage areas
In an interview, you are asked to explain why software forensic tools are used more than forensic hardware workstations. How should you reply?
Forensic hardware workstations are more expensive than forensic software tools
Forensic hardware workstations are expensive, which makes software forensic tools more favorable to the majority
Which of the following helps achieve data privacy in an enterprise network?
Access control schemes
Access control schemes help data privacy by restricting unauthorized access
Which of the following is a legal complication related to forensics that should be considered when creating a cloud platform?
Jurisdictional applicability
Legal procedures will be based on the jurisdiction where the cloud resources are located, making legal actions on cloud forensics complicated because those laws will likely not be applicable in another jurisdiction in another country
Which of the following is an example of evidence collected from metadata?
Time stamp
A time stamp is the recorded time that an event took place irrespective of the location of the endpoint. Time stamp metadata can be crucial evidence when investigating an incident
You are a cybersecurity investigator who needs query log files for faster analysis during an incident investigation. Which of the following log management tools should you use?
journalctl
journalctl is a Linux utility used for querying and displaying log files
Which of the following log management tools has content filtering?
syslog-ng
syslog-ng is an open-source utility for UNIX devices that includes content filtering
Why are mobile devices critical to a digital forensics investigation?
Mobile devices are almost continually in a user’s possession
Mobile devices are almost always in a user’s possession, leaving them with significant evidence like call details, GPS data, and app data, making mobile devices more critical in cyber forensics
Primary investigation after an enterprise security breach revealed that the breach was caused by an unauthorized device physically connected to the enterprise network. Which of the following logs should you examine first while conducting a detailed investigation?
DHCP server logs
DHCP server logs can identify new systems that mysteriously appear and then disappear as part of the network. They can also show what hardware device had which IP address at a specific time
