Section 21-22 Flashcards
Which of the following describes a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system?
a.
SIEM.
b.
DLP.
c.
IDS.
d.
SNMP.
a.
SIEM.Your Answer: Correct
Security Information and Event Management (SIEM) systems aggregate and analyze log data from various sources, providing real-time analysis and alerts for security incidents.
A security analyst locates a potentially malicious video file on a server and needs to identify both the creation date and the file’s creator. Which of the following actions would most likely give the security analyst the information required?
a.
Obtain the file’s SHA-256 hash.
b.
Use hexdump on the file’s contents.
c.
Check endpoint logs.
d.
Query the file’s metadata.
d.
Query the file’s metadata.Correct
File metadata contains detailed information about the file, including the creation date, author, and other properties that can help in the investigation of potentially malicious files.
After a recent ransomware attack on a company’s system, an administrator reviewed the log files. Which of the following control types did the administrator use?
a.
Compensating.
b.
Detective.
c.
Preventive.
d.
Corrective.
b.
Detective.Your Answer: Correct
Detective controls identify and record any incidents or breaches.
Which of the following factors are the most important to address when formulating a training curriculum plan for a security awareness program? (Choose two.)
a. Channels by which the organization communicates with customers.
b. The reporting mechanisms for ethics violations.
c. Threat vectors based on the industry in which the organization operates.
d. Secure software development training for all personnel.
e. Cadence and duration of training events.
f. Retraining requirements for individuals who fail phishing simulations.
c. Threat vectors based on the industry in which the organization operates.
e. Cadence and duration of training events.
Which of the following is the phase in the incident response process when a security analyst reviews roles and responsibilities?
a.
Preparation.
b.
Recovery.
c.
Lessons learned.
d.
Analysis.
c.
Lessons learned.Correct Answer
Lessons learned reviews and documents response effectiveness.
A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring detected activity in the future?
a.
Tuning.
b.
Aggregating.
c.
Quarantining.
d.
Archiving.
a.
Tuning.Correct
Tuning adjusts the system to ignore benign activities.
A company is planning to set up a SIEM system and assign an analyst to review the logs on a weekly basis. Which of the following types of controls is the company setting up?
a.
Corrective.
b.
Preventive.
c.
Detective.
d.
Deterrent.
c.
Detective.Your Answer: Correct
Detective controls identify and investigate potential security incidents.
During an investigation, an incident response team attempts to understand the source of an incident. Which of the following incident response activities describes this process?
a.
Analysis.
b.
Lessons learned.
c.
Detection.
d.
Containment.
a.
Analysis.Your Answer: Correct
During the analysis phase, the incident response team examines the evidence, determines the root cause of the incident, and understands how the incident occurred. This phase is crucial for identifying the source and impact of the incident and for developing strategies to mitigate and prevent future incidents.
Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer’s PII?
a.
SCAP.
b.
NetFlow.
c.
Antivirus.
d.
DLP.
d.
DLP.Your Answer: Correct
DLP (Data Loss Prevention) detects and prevents the unauthorized sharing of sensitive information.
Which of the following describes the reason root cause analysis should be conducted as part of incident response?
a.
To gather IoCs for the investigation.
b.
To discover which systems have been affected.
c.
To eradicate any trace of malware on the network.
d.
To prevent future incidents of the same nature.
d.
To prevent future incidents of the same nature.Your Answer: Correct
Root cause analysis (RCA) is conducted as part of incident response to identify the underlying cause of an incident. By understanding the root cause, organizations can implement measures to address and mitigate the vulnerabilities or issues that led to the incident. This helps in preventing similar incidents from occurring in the future.
Which of the following exercises should an organization use to improve its incident response process?
a.
Tabletop.
b.
Replication.
c.
Failover.
d.
Recovery.
a.
Tabletop.Correct
Tabletop exercises simulate emergency situations in an informal, discussion-based environment, helping organizations improve their incident response plans and procedures.
A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee’s corporate laptop. The security analyst has determined that additional data about the executable running on the machine is necessary to continue the investigation. Which of the following logs should the analyst use as a data source?
a.
Application.
b.
IPS/IDS.
c.
Network.
d.
Endpoint.
d.
Endpoint.Your Answer: Correct
Endpoint logs provide detailed information about processes and activities on individual devices, which can help in understanding the behavior and origin of the suspected malicious executable.
A newly appointed board member with cybersecurity knowledge wants the board of directors to receive a quarterly report detailing the number of incidents that impacted the organization. The systems administrator is creating a way to present the data to the board of directors. Which of the following should the systems administrator use?
a.
Packet captures.
b.
Vulnerability scans.
c.
Metadata.
d.
Dashboard.
d.
Dashboard.Your Answer: Correct
A dashboard provides a clear, concise, and visual representation of the data, making it easier for the board of directors to understand the number of incidents and their impact on the organization. It can be customized to show trends, summaries, and other relevant metrics that are important for high-level decision-making.
A digital forensics team at a large company is investigating a case in which malicious code was downloaded over an HTTPS connection and was running in memory, but was never committed to disk. Which of the following techniques should the team use to obtain a sample of the malware binary?
a.
pcap reassembly.
b.
SSD snapshot.
c.
Image volatile memory.
d.
Extract from checksums.
c.
Image volatile memory.Correct Answer
Imaging volatile memory (RAM) is the appropriate technique to capture the malicious code running in memory, as it allows the forensic team to obtain a snapshot of the current state of memory, including any malware that is present but not written to disk.
A company is required to use certified hardware when building networks. Which of the following best addresses the risks associated with procuring counterfeit hardware?
a.
A thorough analysis of the supply chain.
b.
A legally enforceable corporate acquisition policy.
c.
A right to audit clause in vendor contracts and SOWs.
d.
An in-depth penetration test of all suppliers and vendors.
c.
A right to audit clause in vendor contracts and SOWs.Correct Answer
A right to audit clause in vendor contracts and Statements of Work (SOWs) allows the company to conduct audits to verify the authenticity and compliance of the hardware, reducing the risk of counterfeit components.
