Risk Management (4)

Question 1

Which of the following secures access to company data in agreement to management policies?

Technical controls

Administrative controls

HTTPS

Answer 1

Technical controls

Technical controls are applied through technology and may be deterrent, preventive, detective, or compensating. They include hardware or software solutions using access control in accordance with established security policies

Question 2

You are a server administrator for your company’s private cloud. To provide service to employees, you are instructed to use reliable hard disks in the server to host a virtual environment. Which of the following best describes the reliability of hard drives?

MTTR

RPO

MTBF

Answer 2

MTBF

Mean time between failures (MTBF) is a measurement to show how reliable a hardware component is

Question 3

You are replacing a number of devices with a mobile appliance that combines several functions. Which of the following describes the new implementation?

Cloud computing

Load balancing

Single point of failure

Answer 3

Single point of failure

Single point of failure is a single weakness that can bring an entire system down and prevent it from working

Question 4

Which of the following can help mitigate adware intrusions?

Antivirus

Spyware

Pop-up blocker

Answer 4

Pop-up blocker

A pop-up blocker program can help prevent pop-ups from displaying in a user’s web browser. Pop-ups can contain adware or spyware

Question 5

In the initial stages of a forensics investigation, Zack, a security administrator, was given the hard drive of the compromised workstation by the incident manager. Which of the following data acquisition procedures would Zack need to perform in order to begin the analysis? (Choose two.)

Take hashes

Take screenshots

Capture the system image

Start the order of volatility

Answer 5

Take hashes

Capture the system image

Taking hashes of the hard drive will preserve the evidence. If the hash has not been changed, the data hasn’t changed. Capturing the system image involves making an exact image of the drive so that it can be referenced later in the investigation

Question 6

Which of the following best describes a Computer Incident Response Team (CIRT)?

Personnel who participate in exercises to practice incident response procedures

Personnel who promptly and correctly handle incidents so they can be quickly contained, investigated, and recovered from

A team to identify planning flaws before an actual incident occurs

Answer 6

Personnel who promptly and correctly handle incidents so they can be quickly contained, investigated, and recovered from

A Computer Incident Response Team (CIRT) includes personnel who promptly and correctly handle incidents so that they can be quickly contained, investigated, and recovered from

Question 7

Which of the following decreases the success of brute-force attacks?

Password complexity

Account lockout threshold

Enforce password history

Answer 7

Account lockout threshold

The account lockout threshold setting defines the number of failed sign-in attempts that will cause a user account to be locked. This policy best mitigates brute-force password attacks

Question 8

A warrant has been issued to investigate a file server that is suspected to be part of an organized crime to steal credit card information. You are instructed to follow the order of volatility. Which data would you collect first?

RAM

USB flash drive

Hard disk

Answer 8

RAM

Random access memory (RAM) data is lost when the device is powered off. Therefore, RAM must be properly collected first

Question 9

What should human resources personnel be trained in regarding security policies?

Guidelines and enforcement

Order of volatility

Penetration assessment

Answer 9

Guidelines and enforcement

A standard operating procedure (SOP) is a document that details the processes that a company will have in place to ensure that routine operations are delivered consistently every time. Guidelines and enforcement are items that are included in a SOP

Question 10

Which of the following is not a basic concept of computer forensics?

Preserve evidence

Determine if the suspect is guilty based on the findings

Track man-hours and expenses

Answer 10

Determine if the suspect is guilty based on the findings

Determining if the suspect is guilty is determined by the legal system and is not part of the basic concept of computer forensics

Question 11

The Chief Information Officer (CIO) wants to set up a redundant server location so that the production server images can be moved within 36 hours and the servers can be restored quickly, should a catastrophic failure occur at the primary location. Which of the following can be implemented?

Hot site

Cold site

Warm site

Answer 11

Warm site

A warm site is harder to test because it contains only the equipment and no employees or company data

Question 12

Choose the correct order of volatility when collecting digital evidence.

Hard disk drive, DVD-R, RAM, swap file

Swap file, RAM, DVD-R, hard disk drive

RAM, swap file, hard disk drive, DVD-R

Answer 12

RAM, swap file, hard disk drive, DVD-R

Digital evidence for forensic review must first be collected from the most volatile (not permanent) locations such as RAM and swap files. A swap file is a location on a hard disk drive used as the virtual memory extension of a computer’s RAM. A hard disk drive is the next least volatile, then DVD-R. Some digital evidence can be gathered by using a live boot media

Question 13

Which of the following pieces of information would be summarized in the lessons learned phase of the incident response process? (Choose three.)

When the problem was first detected and by whom

How the problem was contained and eradicated

The work that was performed during the recovery

Preparing a company’s team to be ready to handle an incident at a moment’s notice

Answer 13

When the problem was first detected and by whom

How the problem was contained and eradicated

The work that was performed during the recovery

The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement

Question 14

You receive a phone call from an employee reporting that their workstation is acting strangely. You gather information from the intrusion detection system and notice unusual network traffic from the workstation, and you determine the event may be an incident. You report the event to your manager, who then begins to collect evidence and prepare for the next steps. Which phase of the incident response process is this?

Preparation

Identification

Containment

Answer 14

Identification

The identification phase deals with the discovery and determination of whether a deviation from normal operations within a company is an incident. This phase requires a person to collect events from various sources and report the incident as soon as possible

Question 15

Your manager has asked you to recommend a way to transmit PII via email and maintain its confidentiality. Which of the following options is the best solution?

Hash the information before sending.

Protect the information by using RAID.

Encrypt the information before sending.

Answer 15

Encrypt the information before sending.

Encrypting PII ensures confidentiality.

Question 16

Which of the following statements best defines change management?

Responding to, containing, analyzing, and recovering from a computer-related incident

Means used to define which access permissions subjects have for a specific object

Procedures followed when configuration changes are made to a network

Answer 16

Procedures followed when configuration changes are made to a network

Change management ensures that proper procedures are followed when configuration changes are made to a network

Question 17

During which step of the incident response process does identification of incidents that can be prevented or mitigated occur?

Containment

Eradication

Preparation

Answer 17

Preparation

The preparation phase of the incident response process prepares a company’s team to be ready to handle an incident at a moment’s notice. During this step, a company may identify incidents that can be prevented or mitigated

Question 18

Which of the following best describes the disadvantages of quantitative risk analysis compared to qualitative risk analysis? (Choose two.)

Quantitative risk analysis requires complex calculations.

Quantitative risk analysis is sometimes subjective.

Quantitative risk analysis is generally scenario-based.

Quantitative risk analysis is more time-consuming than qualitative risk analysis.

Answer 18

Quantitative risk analysis requires complex calculations.

Quantitative risk analysis is more time-consuming than qualitative risk analysis.

Quantitative risk analysis requires complex calculations and is more time-consuming.

Question 19

Which of the following are disadvantages of using a cold site? (Choose two.)

Expense

Recovery time

Testing availability

Administration time

Answer 19

Recovery time

Testing availability

Cold sites require a large amount of time to bring online after a disaster. They are not easily available for testing as other alternatives

Question 20

hich of the following policies should be implemented to minimize data loss or theft?

Password policy

PII handling

Chain of custody

Answer 20

PII handling

Personally identifiable information (PII) is personal information that can be used to identify an individual. Protecting PII is important because if an attacker gains PII, they can use it for financial gain at the expense of the individual

Question 21

Which of the following should a comprehensive data policy include?

Wiping, disposing, storage, retention

Disposing, patching, storage, retention

Storage, retention, virtualization

Answer 21

Wiping, disposing, storage, retention

Wiping a drive can remove sensitive data. Disposal of hard drives can be done with shredding. Storage includes types of devices and configurations of data safety. Retention can be required for legal and compliance reasons

Question 22

ou have revealed a recent intrusion within the company’s network and have decided to execute incident response procedures. The incident response team has identified audit logs that hold information about the recent security breach. Prior to the incident, a security consultant firm recommended that your company install a NTP server within the network. Which of the following is a setback the incident response team will likely encounter during the assessment?

Order of volatility

Chain of custody

Record time offset

Answer 22

Record time offset

Record time offset is used to validate the date and time stamps of digital forensic evidence

Question 23

You plan to provide a word processing program to the employees in your company. You decide not to install the program on each employee’s workstation but rather have a cloud service provider host the application. Which of the following risk response techniques best describes the situation?

Risk mitigation

Risk avoidance

Risk transfer

Answer 23

Risk transfer

Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk

Question 24

Which of the following statements is true about incremental backup?

It backs up all files.

It backs up all new files and any files that have changed since the last full backup without resetting the archive bit.

It backs up all new files and any files that have changed since the last full or incremental backup and resets the archive bit.

Answer 24

It backs up all new files and any files that have changed since the last full or incremental backup and resets the archive bit.

An incremental backup backs up all new files and any files that have changed since the last full backup or incremental backup. Incremental backups clear the archive bit

Question 25

The chief security officer (CSO) has seen four security breaches during the past 2 years. Each breach cost the company $30,000, and a third-party vendor has offered to repair the security weakness in the system for $250,000. The breached system is set to be replaced in 5 years. Which of the following risk response techniques should the CSO use?

Accept the risk.

Transfer the risk.

Avoid the risk.

Answer 25

Transfer the risk.

Each breach cost the company $60,000 per year and over the course of 5 years, the total amount will total $300,000. Transferring the risk will help save money for the company because the third-party vendor’s solution will cost $250,000

Question 26

Which of the following would not be a guideline for performing a BIA?

Identify impact scenarios that put your business operations at risk.

Approve and execute changes in order to ensure maximum security and availability of IT services.

Calculate RPO, RTO, MTTR, and MTBF.

Answer 26

Approve and execute changes in order to ensure maximum security and availability of IT services.

Approving and executing changes to ensure maximum security and availability of a company’s IT services is considered change management. A business impact analysis (BIA) identifies a company’s risk and determines the effect on ongoing, mission-critical operations and processes

Question 27

You are a network administrator and have purchased two devices that will work as failovers for each other. Which of the following does this best demonstrate?

Integrity

Availability

Authentication

Answer 27

Availability

Failover is the continuous ability to automatically and flawlessly switch to a highly reliable backup. This can be activated in a redundant manner or in a standby operating mode should the primary server fail. The main purpose of failover is to provide availability of data or service to a user

Question 28

Your company has lost power and the salespeople cannot take orders because the computers and phone systems are unavailable. Which of the following would be the best options to an alternate business practice? (Choose two.)

Tell the salespeople to go home for the day until the power is restored.

Tell the salespeople to use their cell phones until the power is restored.

Have the salespeople use paper and pen to take orders until the power is restored.

Have the salespeople instruct customers to fax their orders until the power is restored.

Answer 28

Tell the salespeople to use their cell phones until the power is restored.

Have the salespeople use paper and pen to take orders until the power is restored.

An alternate business practice is a temporary substitute for normal business activities. When the power is out, the salespeople can use their cell phones to continue to sell and write the orders on a sheet of paper. Once the power is restored, the salespeople can enter the orders into the system without compromising business activities

Question 29

Leigh Ann is the new network administrator for a local community bank. She studies the current file server folder structures and permissions. The previous administrator didn’t properly secure customer documents in the folders. Leigh Ann assigns appropriate file and folder permissions to be sure that only the authorized employees can access the data. What security role is Leigh Ann assuming?

Data owner

User

Custodian

Answer 29

Custodian

A custodian configures data protection based on security policies

Question 30

Which of the following methods is not recommended for removing data from a storage media that is used to store confidential information?

Formatting

Shredding

Wiping

Answer 30

Formatting

Formatting is not a recommended method. Formatting removes the pointer to the location of the data on the storage media but does not ensure the data is removed