Risk Management (4) Flashcards
Which of the following secures access to company data in agreement to management policies?
Technical controls
Administrative controls
HTTPS
Technical controls
Technical controls are applied through technology and may be deterrent, preventive, detective, or compensating. They include hardware or software solutions using access control in accordance with established security policies
You are a server administrator for your company’s private cloud. To provide service to employees, you are instructed to use reliable hard disks in the server to host a virtual environment. Which of the following best describes the reliability of hard drives?
MTTR
RPO
MTBF
MTBF
Mean time between failures (MTBF) is a measurement to show how reliable a hardware component is
You are replacing a number of devices with a mobile appliance that combines several functions. Which of the following describes the new implementation?
Cloud computing
Load balancing
Single point of failure
Single point of failure
Single point of failure is a single weakness that can bring an entire system down and prevent it from working
Which of the following can help mitigate adware intrusions?
Antivirus
Spyware
Pop-up blocker
Pop-up blocker
A pop-up blocker program can help prevent pop-ups from displaying in a user’s web browser. Pop-ups can contain adware or spyware
In the initial stages of a forensics investigation, Zack, a security administrator, was given the hard drive of the compromised workstation by the incident manager. Which of the following data acquisition procedures would Zack need to perform in order to begin the analysis? (Choose two.)
Take hashes
Take screenshots
Capture the system image
Start the order of volatility
Take hashes
Capture the system image
Taking hashes of the hard drive will preserve the evidence. If the hash has not been changed, the data hasn’t changed. Capturing the system image involves making an exact image of the drive so that it can be referenced later in the investigation
Which of the following best describes a Computer Incident Response Team (CIRT)?
Personnel who participate in exercises to practice incident response procedures
Personnel who promptly and correctly handle incidents so they can be quickly contained, investigated, and recovered from
A team to identify planning flaws before an actual incident occurs
Personnel who promptly and correctly handle incidents so they can be quickly contained, investigated, and recovered from
A Computer Incident Response Team (CIRT) includes personnel who promptly and correctly handle incidents so that they can be quickly contained, investigated, and recovered from
Which of the following decreases the success of brute-force attacks?
Password complexity
Account lockout threshold
Enforce password history
Account lockout threshold
The account lockout threshold setting defines the number of failed sign-in attempts that will cause a user account to be locked. This policy best mitigates brute-force password attacks
A warrant has been issued to investigate a file server that is suspected to be part of an organized crime to steal credit card information. You are instructed to follow the order of volatility. Which data would you collect first?
RAM
USB flash drive
Hard disk
RAM
Random access memory (RAM) data is lost when the device is powered off. Therefore, RAM must be properly collected first
What should human resources personnel be trained in regarding security policies?
Guidelines and enforcement
Order of volatility
Penetration assessment
Guidelines and enforcement
A standard operating procedure (SOP) is a document that details the processes that a company will have in place to ensure that routine operations are delivered consistently every time. Guidelines and enforcement are items that are included in a SOP
Which of the following is not a basic concept of computer forensics?
Preserve evidence
Determine if the suspect is guilty based on the findings
Track man-hours and expenses
Determine if the suspect is guilty based on the findings
Determining if the suspect is guilty is determined by the legal system and is not part of the basic concept of computer forensics
The Chief Information Officer (CIO) wants to set up a redundant server location so that the production server images can be moved within 36 hours and the servers can be restored quickly, should a catastrophic failure occur at the primary location. Which of the following can be implemented?
Hot site
Cold site
Warm site
Warm site
A warm site is harder to test because it contains only the equipment and no employees or company data
Choose the correct order of volatility when collecting digital evidence.
Hard disk drive, DVD-R, RAM, swap file
Swap file, RAM, DVD-R, hard disk drive
RAM, swap file, hard disk drive, DVD-R
RAM, swap file, hard disk drive, DVD-R
Digital evidence for forensic review must first be collected from the most volatile (not permanent) locations such as RAM and swap files. A swap file is a location on a hard disk drive used as the virtual memory extension of a computer’s RAM. A hard disk drive is the next least volatile, then DVD-R. Some digital evidence can be gathered by using a live boot media
Which of the following pieces of information would be summarized in the lessons learned phase of the incident response process? (Choose three.)
When the problem was first detected and by whom
How the problem was contained and eradicated
The work that was performed during the recovery
Preparing a company’s team to be ready to handle an incident at a moment’s notice
When the problem was first detected and by whom
How the problem was contained and eradicated
The work that was performed during the recovery
The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement
You receive a phone call from an employee reporting that their workstation is acting strangely. You gather information from the intrusion detection system and notice unusual network traffic from the workstation, and you determine the event may be an incident. You report the event to your manager, who then begins to collect evidence and prepare for the next steps. Which phase of the incident response process is this?
Preparation
Identification
Containment
Identification
The identification phase deals with the discovery and determination of whether a deviation from normal operations within a company is an incident. This phase requires a person to collect events from various sources and report the incident as soon as possible
Your manager has asked you to recommend a way to transmit PII via email and maintain its confidentiality. Which of the following options is the best solution?
Hash the information before sending.
Protect the information by using RAID.
Encrypt the information before sending.
Encrypt the information before sending.
Encrypting PII ensures confidentiality.
Which of the following statements best defines change management?
Responding to, containing, analyzing, and recovering from a computer-related incident
Means used to define which access permissions subjects have for a specific object
Procedures followed when configuration changes are made to a network
Procedures followed when configuration changes are made to a network
Change management ensures that proper procedures are followed when configuration changes are made to a network
During which step of the incident response process does identification of incidents that can be prevented or mitigated occur?
Containment
Eradication
Preparation
Preparation
The preparation phase of the incident response process prepares a company’s team to be ready to handle an incident at a moment’s notice. During this step, a company may identify incidents that can be prevented or mitigated
Which of the following best describes the disadvantages of quantitative risk analysis compared to qualitative risk analysis? (Choose two.)
Quantitative risk analysis requires complex calculations.
Quantitative risk analysis is sometimes subjective.
Quantitative risk analysis is generally scenario-based.
Quantitative risk analysis is more time-consuming than qualitative risk analysis.
Quantitative risk analysis requires complex calculations.
Quantitative risk analysis is more time-consuming than qualitative risk analysis.
Quantitative risk analysis requires complex calculations and is more time-consuming.
Which of the following are disadvantages of using a cold site? (Choose two.)
Expense
Recovery time
Testing availability
Administration time
Recovery time
Testing availability
Cold sites require a large amount of time to bring online after a disaster. They are not easily available for testing as other alternatives
hich of the following policies should be implemented to minimize data loss or theft?
Password policy
PII handling
Chain of custody
PII handling
Personally identifiable information (PII) is personal information that can be used to identify an individual. Protecting PII is important because if an attacker gains PII, they can use it for financial gain at the expense of the individual
Which of the following should a comprehensive data policy include?
Wiping, disposing, storage, retention
Disposing, patching, storage, retention
Storage, retention, virtualization
Wiping, disposing, storage, retention
Wiping a drive can remove sensitive data. Disposal of hard drives can be done with shredding. Storage includes types of devices and configurations of data safety. Retention can be required for legal and compliance reasons
ou have revealed a recent intrusion within the company’s network and have decided to execute incident response procedures. The incident response team has identified audit logs that hold information about the recent security breach. Prior to the incident, a security consultant firm recommended that your company install a NTP server within the network. Which of the following is a setback the incident response team will likely encounter during the assessment?
Order of volatility
Chain of custody
Record time offset
Record time offset
Record time offset is used to validate the date and time stamps of digital forensic evidence
You plan to provide a word processing program to the employees in your company. You decide not to install the program on each employee’s workstation but rather have a cloud service provider host the application. Which of the following risk response techniques best describes the situation?
Risk mitigation
Risk avoidance
Risk transfer
Risk transfer
Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk
Which of the following statements is true about incremental backup?
It backs up all files.
It backs up all new files and any files that have changed since the last full backup without resetting the archive bit.
It backs up all new files and any files that have changed since the last full or incremental backup and resets the archive bit.
It backs up all new files and any files that have changed since the last full or incremental backup and resets the archive bit.
An incremental backup backs up all new files and any files that have changed since the last full backup or incremental backup. Incremental backups clear the archive bit
The chief security officer (CSO) has seen four security breaches during the past 2 years. Each breach cost the company $30,000, and a third-party vendor has offered to repair the security weakness in the system for $250,000. The breached system is set to be replaced in 5 years. Which of the following risk response techniques should the CSO use?
Accept the risk.
Transfer the risk.
Avoid the risk.
Transfer the risk.
Each breach cost the company $60,000 per year and over the course of 5 years, the total amount will total $300,000. Transferring the risk will help save money for the company because the third-party vendor’s solution will cost $250,000
Which of the following would not be a guideline for performing a BIA?
Identify impact scenarios that put your business operations at risk.
Approve and execute changes in order to ensure maximum security and availability of IT services.
Calculate RPO, RTO, MTTR, and MTBF.
Approve and execute changes in order to ensure maximum security and availability of IT services.
Approving and executing changes to ensure maximum security and availability of a company’s IT services is considered change management. A business impact analysis (BIA) identifies a company’s risk and determines the effect on ongoing, mission-critical operations and processes
You are a network administrator and have purchased two devices that will work as failovers for each other. Which of the following does this best demonstrate?
Integrity
Availability
Authentication
Availability
Failover is the continuous ability to automatically and flawlessly switch to a highly reliable backup. This can be activated in a redundant manner or in a standby operating mode should the primary server fail. The main purpose of failover is to provide availability of data or service to a user
Your company has lost power and the salespeople cannot take orders because the computers and phone systems are unavailable. Which of the following would be the best options to an alternate business practice? (Choose two.)
Tell the salespeople to go home for the day until the power is restored.
Tell the salespeople to use their cell phones until the power is restored.
Have the salespeople use paper and pen to take orders until the power is restored.
Have the salespeople instruct customers to fax their orders until the power is restored.
Tell the salespeople to use their cell phones until the power is restored.
Have the salespeople use paper and pen to take orders until the power is restored.
An alternate business practice is a temporary substitute for normal business activities. When the power is out, the salespeople can use their cell phones to continue to sell and write the orders on a sheet of paper. Once the power is restored, the salespeople can enter the orders into the system without compromising business activities
Leigh Ann is the new network administrator for a local community bank. She studies the current file server folder structures and permissions. The previous administrator didn’t properly secure customer documents in the folders. Leigh Ann assigns appropriate file and folder permissions to be sure that only the authorized employees can access the data. What security role is Leigh Ann assuming?
Data owner
User
Custodian
Custodian
A custodian configures data protection based on security policies
Which of the following methods is not recommended for removing data from a storage media that is used to store confidential information?
Formatting
Shredding
Wiping
Formatting
Formatting is not a recommended method. Formatting removes the pointer to the location of the data on the storage media but does not ensure the data is removed
