Security + Measure Up #3 Flashcards
Pass the First Time
A company’s systems engineer is devising an incident management plan. What should be the primary goal of the incident management plan for a DoS attack on the company’s ecommerce servers?
A. Implement DPI on the firewall
B. Discover the identity of the attacker
C. Identify the vulnerabilities that the attacker exploited
D. Restore normal operations as quickly as possible
D. Restore normal operations as quickly as possible. Ensuring the ecommerce servers are back up and running minimizes disruption to the business and customer experience.
A security administrator learns that sensitive information has been exfiltrated using DNS tunneling. What should the administrator do FIRST to investigate the incident?
A. Check the NetFlow traffic metrics for a sudden spike in UDP traffic
B. Check the firewall for evidence of outbound C&C communications
C. Investigate web logs for logons from untrusted IP addresses
D. Investigate DNS server logs for the registration of unauthorized domains
A. Check the NetFlow traffic metrics for a sudden spike in UDP traffic. This can help identify abnormal DNS traffic patterns that could indicate DNS tunneling activity.
Which of the following tasks is MOST likely performed by a third-party as part of compliance monitoring for an organization?
A. Continuous monitoring
B. Cyber attestation
C. Due care
D. Data inventory
B. Cyber attestation. This task is often performed by third-party organizations to provide an independent verification of compliance with security standards and regulations.
A company wants to introduce a new enterprise mobility strategy for all users. Which deployment model will the enterprise use if it wants to allow an employee to choose a mobile phone from a company-approved list of devices?
A. BYOD
B. VDI
C. COPE
D. CYOD
D. CYOD (Choose Your Own Device). This model allows employees to select a mobile phone from a company-approved list, balancing flexibility and control.
In the context of General Data Protection Regulation (GDPR), which statement regarding data controllers and data processors is correct?
A. Controllers are based in the European Union (EU), while processors are not
B. Controllers store and process data, while processors only store data
C. Controllers determine how data will be processed, while processors process data
D. Controllers only collect data, while processors only process data
C. Controllers determine how data will be processed, while processors process data. This means controllers set the purpose and means of processing personal data, while processors handle the data according to the controller’s instructions.
Management has requested that an internal compliance audit be completed. Who should approve the audit plan?
A. A third-party auditor
B. A senior IT executive
C. The audit committee
D. A penetration tester
C. The audit committee. They are responsible for overseeing the audit process, ensuring its independence and objectivity.
Which of the following is the BEST option for automating a response to an on-path attack?
A. Network-based Intrusion Prevention System (NIPS)
B. Identity and Access Management (IAM)
C. Network Access Control (NAC)
D. Host-Based Intrusion Detection System (HIDS)
A. Network-based Intrusion Prevention System (NIPS). This system can detect and respond to on-path attacks in real-time, making it a solid choice for automation.
Following a breach, an organization implements awareness training to help users identify the risks associated with removable media. Which of the following attacks will this training help mitigate?
A. Injection
B. Side loading
C. Baiting
D. Steganography
C. Baiting. Awareness training helps users recognize the risks of removable media and avoid falling for baiting attacks, where attackers leave infected media around to tempt people into using it and introducing malware.
A server has failed four times in the past year. Which measurement is used to determine the amount of time the server was operational?
A. MTTF
B. MTBF
C. ARO
D. ALE
B. MTBF (Mean Time Between Failures). This metric measures the average time between failures of a system, indicating the system’s reliability and operational time.
What is the PRIMARY purpose of red teaming?
A. To detect malicious insiders
B. To complete an independent audit
C. To validate security controls
D. To determine risk scores
C. To validate security controls. By simulating sophisticated attack scenarios, red teams assess the effectiveness of an organization’s defenses, identifying weaknesses that need to be addressed.
What should be used to outline penalties when a cloud provider suffers an extensive outage?
A. Memorandum of agreement (MOA)
B. Memorandum of understanding (MOU)
C. Service-level agreement (SLA)
D. Master service agreement (MSA)
C. Service-level agreement (SLA). SLAs specifically outline performance standards and penalties for non-compliance, including what happens during extensive outages.
Which of the following tasks occurs as part of Open Security Content Automation Protocol (SCAP) deployment in an organization?
A. Penetration testing will be performed
B. System configurations will be audited
C. Web traffic will be scanned for vulnerabilities
D. Data loss prevention will be configured
B. System configurations will be audited. SCAP deployment involves auditing and verifying that system configurations comply with security policies and standards.
A remote collection server is managed through command-line commands. Until recently, a company has been using Telnet to connect to the server, but now they suspect that one or more passwords have been compromised. The company’s security analyst is going to disable Telnet connectivity on the server. They need to use a more secure method for logging in and executing commands. What should the analyst use?
A. SSL
B. SSH
C. SNMP
D. HTTPS
B. SSH (Secure Shell). Unlike Telnet, SSH provides encrypted communication, ensuring that passwords and commands are securely transmitted, reducing the risk of interception by malicious actors.
An office manager receives a notification from a freight operator indicating that they must place a critical delivery in the organization’s data center. What should the office manager do NEXT?
A. Require the driver to use the access control vestibule.
B. Consult the risk register for instructions on next steps.
C. Escalate the request to the manager of the red team.
D. Report anomalous behavior to the security manager.
D. Report anomalous behavior to the security manager might be the answer because it’s emphasizing the importance of alerting security personnel to any unusual or unexpected activities, which is a key step in maintaining security protocols. Escalating such issues ensures they are handled by those equipped to assess and respond to potential threats.
An organization establishes a formal incident response (IR) process and trains users on how the process should be used. Later, a user discovers evidence that their workstation is infected with malware. What should the user do NEXT?
A. Power off the workstation
B. Delete suspicious files
C. Report the finding
D. Run a virus scanner
C. Report the finding. Following the established IR process, the user should immediately report the potential malware infection to ensure it is handled by the appropriate personnel.
Why would an organization use Security Content Automation Protocol (SCAP)?
A. To determine if system configurations are consistent and secure
B. To determine if data is being exfiltrated accidentally or intentionally
C. To aggregate and correlate system logs from organizational servers
D. To facilitate single sign-on (SSO) for on-premises and cloud resources
A. To determine if system configurations are consistent and secure. SCAP is primarily used for automating vulnerability management, measurement, and policy compliance evaluation.
An organization suffers a breach due to successful impersonation. What should the organization do to reduce the effectiveness of this type of activity?
A. Implement social engineering awareness training
B. Create or update an incident response playbook
C. Perform a tabletop exercise with vulnerable users
D. Train users on how to recognize watering hole attacks
A. Implement social engineering awareness training. This helps employees recognize and respond to impersonation attempts, reducing the likelihood of such breaches.
In business impact analysis (BIA), what does recovery point objective (RPO) define?
A. The time it takes to initiate a response to an incident
B. The maximum acceptable data loss following an incident
C. The maximum acceptable downtime following an incident
D. The time it takes to recover from an incident
B. The maximum acceptable data loss following an incident. RPO defines the amount of data an organization can afford to lose during a disruption.