Total - Ch7 Flashcards
Admissible evidence
Relevance
Reliability
Legality
Which type of security analyst spends most of their time monitoring security tools and other technology platforms for suspicious activity?
Tier 1 security analysts spend most of their time monitoring security tools and other technology platforms for suspicious activity. For all their sophistication, these tools tend to generate a lot of false positives (that is, false alarms), so security analysts need to go through and verify the alerts generated by these tools. These analysts are typically the least experienced, so their job is to triage alerts, handling the more mundane and passing on the more complex and dangerous ones to the more experienced staff in the security operations center (SOC).
Tier 2 analysts can dig deeper into alerts to determine if they constitute security incidents. If they do, these analysts can then coordinate with incident responders and intelligence analysts to further investigate, contain, and eradicate the threats.
Disaster recovery and business continuity plans become outdated for all of the following reasons except __________.
A.
A company’s infrastructure changes
B.
Exercising of the disaster recovery plan
C.
Personnel turnover
D.
Company and departmental reorganizations
Exercising of the disaster recovery plan
Which of the following is the correct sequence of the seven-stage intrusion model known as the Cyber Kill Chain framework?
Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.
During which of the following phases of incident management does the incident response team contain the damage caused by a security incident?
A.
Preservation
B.
Response
C.
Eradication
D.
Remediation
B is correct. The goal of containment during the response phase of incident management is to prevent or reduce any further damage from this incident so that the incident response (IR) team can begin to mitigate and recover. Done properly, this buys the IR team time for a proper investigation and determination of the incident’s root cause.
Which of the following describes the maximum amount of time available for certifying the functionality and integrity of restored systems and data so they can be put back into production?
A.
Maximum tolerable downtime (MTD)
B.
Work recovery time (WRT)
C.
Recovery time objective (RTO)
D.
Recovery point objective (RPO)
B is correct. The work recovery time (WRT) is the maximum amount of time available for certifying the functionality and integrity of restored systems and data so they can be put back into production. RTO usually deals with getting the infrastructure and systems back up and running, and WRT deals with ensuring business users can get back to work using them. Another way to think of WRT is as the remainder of the overall MTD value after the RTO has passed.
MTD = RTO + WRT
Which of the following creates a connection between the two communicating systems at the session layer of the OSI model?
A.
Next-generation firewall
B.
Application-level proxy
C.
Circuit-level proxy
D.
Packet-filtering firewall
C is correct. A proxy firewall stands between a trusted network and an untrusted network and makes the connection, each way, on behalf of the source. What is important is that a proxy firewall breaks the communication channel; there is no direct connection between the two communicating devices. Where a packet-filtering device just monitors traffic as it is traversing a network connection, a proxy ends the communication session and restarts it on behalf of the sending system. A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot “look into” the contents of a packet; thus, it does not carry out deep packet inspection (DPI). It can only make access decisions based on protocol header and session information that is available to it.
Enticement vs Entrapment
Entrapment: illegal
Enticement: Legal
Which of the following is considered a best practice when interviewing willing witnesses?
A.
Automatically assume the individual is guilty
B.
Compartmentalize information
C.
Interview multiple suspects at the same time
D.
Record the interview
B is correct. When interviewing someone during an investigation, you should make every effort to compartmentalize information. Your interview plan should address what information you share with each interviewee, and what you don’t share. You should not tell one interviewee what another said unless it’s absolutely essential.
Which of the following steps in the incident management process is considered the most important?
A.
Response
B.
Detection
C.
Mitigation
D.
Recovery
B is correct. Detection is the first and most important step in the incident management process. Responding to an incident requires realizing that you have a problem in the first place. The steps in the process are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.
hearsay evidence
A statement made outside of the court proceeding that is introduced into court as evidence
Which is primarily concerned with the chain of custody process?
Collection . ISO/IEC 27037, the international standard on digital evidence handling, identifies four phases of evidence handling: identification, collection, acquisition, and preservation. Evidence collection is the process of gaining physical control over devices that could potentially have evidentiary value. A chain of custody documents each person that has control of the evidence at every point in time. In large investigations, one person may collect evidence, another transport it, and a third store it. Keeping track of all these individuals is critical to proving in court that the evidence was not tampered with.
Which of the following incorporates functions of all previous legacy firewalls and also includes signature-based and/or behavioral analysis IPS engines?
A.
Next-generation firewall (NGFW)
B.
Proxy firewall
C.
Packet-filtering firewall
D.
Circuit-level proxy
A is correct. Some of the most advanced NGFWs include features that allow them to share signatures with a cloud-based aggregator so that once a new attack is detected by one firewall, all other firewalls manufactured by that vendor become aware of the attack signature.
D is incorrect. A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot “look into” the contents of a packet; thus, it does not carry out deep packet inspection (DPI). It can only make access decisions based on protocol header and session information that is available to it.
Change management vs configuration management
Change management is a business process and configuration management is an operational process.
Incremental backup vs Differential backup
Incremental backup: 快的. Removes the archive bit
Full backup: removes the archive bit and 先于incremental & full backup.
Differential backup contains all of the data that has changed since last full backup.
Which of the following is the practice of minimizing the risks associated with the addition, modification, or removal of anything that could have an effect on IT services?
A.
Configuration management
B.
Risk management
C.
Change management
D.
Baseline management
C.
Change management
Which of the following detection techniques looks at the overall structure of suspected code and evaluates the coded instructions, logic functions, and the type of data within the code?
A.
Signature-based detection
B.
Heuristic detection
C.
Fingerprint-based detection
D.
Anomaly-based detection
B is correct. Heuristic detection examines code from a real-time perspective and looks at several characteristics of the code to determine if it is malicious.
Which of the following is the cyclical process of identifying asset weaknesses, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels?
A.
Vulnerability management
B.
Patch management
C.
Risk management
D.
Account management
A is correct. Vulnerability management is the cyclical process of identifying vulnerabilities, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels. Many people equate vulnerability management with periodically running a vulnerability scanner against their systems, but the process must include more than just that. Vulnerabilities exist not only in software, which is what the scanners assess, but also in business processes and in people.
C is incorrect. Risk management is the overall holistic management of different components of risk, such as threats, vulnerabilities, likelihood of a negative event occurring, and the impact of that negative event on the asset. Risk management covers far more than vulnerability management.
Which of the following change management processes is in the correct order?
A.
Request the change, evaluate the change, plan the change, implement the change, review the change, close or sustain the change
B.
Request the change, plan the change, implement the change, evaluate the change, review the change, close or sustain the change
C.
Plan the change, request the change, evaluate the change, implement the change, review the change, close or sustain the change
D.
Request the change, review the change, evaluate the change, plan the change, implement the change, close or sustain the change
A is correct. Although each organization will implement its own change management processes differently, the general steps remain the same. The correct order is request the change, evaluate the change, plan the change, implement the change, review the change, close or sustain the change.
What does a first generation firewall inspect?
The packets to see if they match any of the IF/THEN statements
You are the CIO of a large financial institution that is planning to implement a blockchain solution to streamline its internal processes and improve security. As part of this process, you have to decide on the type of consensus algorithm to use.
Which of the following consensus algorithms is the most suitable for the financial institution’s blockchain solution?
Delegated Proof of Stake
Proof of Stake
Proof of Work
Federated Byzantine Agreement
The Federated Byzantine Agreement (FBA) is a suitable consensus algorithm for this case. The FBA is used in permissioned (private) blockchains where the participants are known and trusted entities. It doesn’t require extensive computational resources like Proof of Work and allows for faster transaction validation. It provides robustness in the face of faulty nodes and can even tolerate malicious participants to a certain extent. It does this by forming ‘quorums’ or groups of nodes that agree on validations, thus maintaining the integrity of the network. The financial institution can control who participates in the blockchain network, thereby ensuring security, privacy, and compliance with regulatory requirements.
At what point do we reach our RTO (Recovery time objective)?
A. When the system is completely offline.
B. When the system hardware is restored.
C. When the system software is restored.
D. When the system is back in production.
The RTO (Recovery time objective) is when we have restored the system hardware.
Us getting the system back into production is the MTD (Maximum Tolerable Downtime).
When the system is completely offline is a distractor,
and when the system software is restored is the WRT (Work Recovery Time).
The maximum amount of time we can be down, must not exceed the time it takes us to rebuild the hardware, install the software and test the system (MTD > RTO + WRT).
What is the BEST practice for reporting an information security incident according
to ISO 27035?
* Notify the relevant authorities immediately
Report the incident to the CEO immediately
Conduct an internal investigation before reporting the incident
* Report the incident to the board of directors first
According to ISO 27035, the BEST practice for reporting an information security incident is to notify the relevant authorities immediately. This ensures that the incident is properly investigated and any necessary action is taken to prevent further damage or loss.
Claire is setting up a new contingency plan. What is MOST likely to be the first step Claire will complete?
Ensure application software is available for use
Ensure operational team procedures are available
Ensure operating system software is available to be installed as required
Ensure hardware is available for use
Ensure hardware is available for use
Which of these would we do FIRST after a successful DOS (Distributed Denial-Of-Service) attack?
Restore servers using backup media from our offsite storage facility.
Isolate the affected subnets.
Do an assessment of our systems to determine their status.
Do an impact analysis of the DDOS attack.
- Do an assessment of our systems to determine their status.