Total - Ch7 Flashcards

1
Q

Admissible evidence

A

Relevance
Reliability
Legality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which type of security analyst spends most of their time monitoring security tools and other technology platforms for suspicious activity?

A

Tier 1 security analysts spend most of their time monitoring security tools and other technology platforms for suspicious activity. For all their sophistication, these tools tend to generate a lot of false positives (that is, false alarms), so security analysts need to go through and verify the alerts generated by these tools. These analysts are typically the least experienced, so their job is to triage alerts, handling the more mundane and passing on the more complex and dangerous ones to the more experienced staff in the security operations center (SOC).

Tier 2 analysts can dig deeper into alerts to determine if they constitute security incidents. If they do, these analysts can then coordinate with incident responders and intelligence analysts to further investigate, contain, and eradicate the threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Disaster recovery and business continuity plans become outdated for all of the following reasons except __________.
A.
A company’s infrastructure changes

B.
Exercising of the disaster recovery plan

C.
Personnel turnover

D.
Company and departmental reorganizations

A

Exercising of the disaster recovery plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is the correct sequence of the seven-stage intrusion model known as the Cyber Kill Chain framework?

A

Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

During which of the following phases of incident management does the incident response team contain the damage caused by a security incident?

A.
Preservation

B.
Response

C.
Eradication

D.
Remediation

A

B is correct. The goal of containment during the response phase of incident management is to prevent or reduce any further damage from this incident so that the incident response (IR) team can begin to mitigate and recover. Done properly, this buys the IR team time for a proper investigation and determination of the incident’s root cause.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following describes the maximum amount of time available for certifying the functionality and integrity of restored systems and data so they can be put back into production?

A.
Maximum tolerable downtime (MTD)

B.
Work recovery time (WRT)

C.
Recovery time objective (RTO)

D.
Recovery point objective (RPO)

A

B is correct. The work recovery time (WRT) is the maximum amount of time available for certifying the functionality and integrity of restored systems and data so they can be put back into production. RTO usually deals with getting the infrastructure and systems back up and running, and WRT deals with ensuring business users can get back to work using them. Another way to think of WRT is as the remainder of the overall MTD value after the RTO has passed.

MTD = RTO + WRT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following creates a connection between the two communicating systems at the session layer of the OSI model?

A.
Next-generation firewall

B.
Application-level proxy

C.
Circuit-level proxy

D.
Packet-filtering firewall

A

C is correct. A proxy firewall stands between a trusted network and an untrusted network and makes the connection, each way, on behalf of the source. What is important is that a proxy firewall breaks the communication channel; there is no direct connection between the two communicating devices. Where a packet-filtering device just monitors traffic as it is traversing a network connection, a proxy ends the communication session and restarts it on behalf of the sending system. A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot “look into” the contents of a packet; thus, it does not carry out deep packet inspection (DPI). It can only make access decisions based on protocol header and session information that is available to it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Enticement vs Entrapment

A

Entrapment: illegal
Enticement: Legal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is considered a best practice when interviewing willing witnesses?

A.
Automatically assume the individual is guilty

B.
Compartmentalize information

C.
Interview multiple suspects at the same time

D.
Record the interview

A

B is correct. When interviewing someone during an investigation, you should make every effort to compartmentalize information. Your interview plan should address what information you share with each interviewee, and what you don’t share. You should not tell one interviewee what another said unless it’s absolutely essential.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following steps in the incident management process is considered the most important?

A.
Response

B.
Detection

C.
Mitigation

D.
Recovery

A

B is correct. Detection is the first and most important step in the incident management process. Responding to an incident requires realizing that you have a problem in the first place. The steps in the process are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

hearsay evidence

A

A statement made outside of the court proceeding that is introduced into court as evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which is primarily concerned with the chain of custody process?

A

Collection . ISO/IEC 27037, the international standard on digital evidence handling, identifies four phases of evidence handling: identification, collection, acquisition, and preservation. Evidence collection is the process of gaining physical control over devices that could potentially have evidentiary value. A chain of custody documents each person that has control of the evidence at every point in time. In large investigations, one person may collect evidence, another transport it, and a third store it. Keeping track of all these individuals is critical to proving in court that the evidence was not tampered with.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following incorporates functions of all previous legacy firewalls and also includes signature-based and/or behavioral analysis IPS engines?

A.
Next-generation firewall (NGFW)

B.
Proxy firewall

C.
Packet-filtering firewall

D.
Circuit-level proxy

A

A is correct. Some of the most advanced NGFWs include features that allow them to share signatures with a cloud-based aggregator so that once a new attack is detected by one firewall, all other firewalls manufactured by that vendor become aware of the attack signature.

D is incorrect. A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot “look into” the contents of a packet; thus, it does not carry out deep packet inspection (DPI). It can only make access decisions based on protocol header and session information that is available to it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Change management vs configuration management

A

Change management is a business process and configuration management is an operational process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Incremental backup vs Differential backup

A

Incremental backup: 快的. Removes the archive bit

Full backup: removes the archive bit and 先于incremental & full backup.

Differential backup contains all of the data that has changed since last full backup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is the practice of minimizing the risks associated with the addition, modification, or removal of anything that could have an effect on IT services?

A.
Configuration management

B.
Risk management

C.
Change management

D.
Baseline management

A

C.
Change management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following detection techniques looks at the overall structure of suspected code and evaluates the coded instructions, logic functions, and the type of data within the code?

A.
Signature-based detection

B.
Heuristic detection

C.
Fingerprint-based detection

D.
Anomaly-based detection

A

B is correct. Heuristic detection examines code from a real-time perspective and looks at several characteristics of the code to determine if it is malicious.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is the cyclical process of identifying asset weaknesses, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels?

A.
Vulnerability management

B.
Patch management

C.
Risk management

D.
Account management

A

A is correct. Vulnerability management is the cyclical process of identifying vulnerabilities, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels. Many people equate vulnerability management with periodically running a vulnerability scanner against their systems, but the process must include more than just that. Vulnerabilities exist not only in software, which is what the scanners assess, but also in business processes and in people.

C is incorrect. Risk management is the overall holistic management of different components of risk, such as threats, vulnerabilities, likelihood of a negative event occurring, and the impact of that negative event on the asset. Risk management covers far more than vulnerability management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following change management processes is in the correct order?

A.
Request the change, evaluate the change, plan the change, implement the change, review the change, close or sustain the change

B.
Request the change, plan the change, implement the change, evaluate the change, review the change, close or sustain the change

C.
Plan the change, request the change, evaluate the change, implement the change, review the change, close or sustain the change

D.
Request the change, review the change, evaluate the change, plan the change, implement the change, close or sustain the change

A

A is correct. Although each organization will implement its own change management processes differently, the general steps remain the same. The correct order is request the change, evaluate the change, plan the change, implement the change, review the change, close or sustain the change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does a first generation firewall inspect?

A

The packets to see if they match any of the IF/THEN statements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You are the CIO of a large financial institution that is planning to implement a blockchain solution to streamline its internal processes and improve security. As part of this process, you have to decide on the type of consensus algorithm to use.
Which of the following consensus algorithms is the most suitable for the financial institution’s blockchain solution?

Delegated Proof of Stake
Proof of Stake
Proof of Work
Federated Byzantine Agreement

A

The Federated Byzantine Agreement (FBA) is a suitable consensus algorithm for this case. The FBA is used in permissioned (private) blockchains where the participants are known and trusted entities. It doesn’t require extensive computational resources like Proof of Work and allows for faster transaction validation. It provides robustness in the face of faulty nodes and can even tolerate malicious participants to a certain extent. It does this by forming ‘quorums’ or groups of nodes that agree on validations, thus maintaining the integrity of the network. The financial institution can control who participates in the blockchain network, thereby ensuring security, privacy, and compliance with regulatory requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

At what point do we reach our RTO (Recovery time objective)?

A. When the system is completely offline.
B. When the system hardware is restored.
C. When the system software is restored.
D. When the system is back in production.

A

The RTO (Recovery time objective) is when we have restored the system hardware.

Us getting the system back into production is the MTD (Maximum Tolerable Downtime).

When the system is completely offline is a distractor,
and when the system software is restored is the WRT (Work Recovery Time).

The maximum amount of time we can be down, must not exceed the time it takes us to rebuild the hardware, install the software and test the system (MTD > RTO + WRT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the BEST practice for reporting an information security incident according
to ISO 27035?
* Notify the relevant authorities immediately
Report the incident to the CEO immediately
Conduct an internal investigation before reporting the incident
* Report the incident to the board of directors first

A

According to ISO 27035, the BEST practice for reporting an information security incident is to notify the relevant authorities immediately. This ensures that the incident is properly investigated and any necessary action is taken to prevent further damage or loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Claire is setting up a new contingency plan. What is MOST likely to be the first step Claire will complete?

Ensure application software is available for use
Ensure operational team procedures are available
Ensure operating system software is available to be installed as required
Ensure hardware is available for use

A

Ensure hardware is available for use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of these would we do FIRST after a successful DOS (Distributed Denial-Of-Service) attack?

Restore servers using backup media from our offsite storage facility.
Isolate the affected subnets.
Do an assessment of our systems to determine their status.
Do an impact analysis of the DDOS attack.

A
  • Do an assessment of our systems to determine their status.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Mark wants to determine the subnet address of the IPv6 address
2001:1996:3451:6789::1782. Where can he find the subnet address and what is the value?

1st group, 2001
3rd group, 3451
4th group, 6789
8th group, 1782

A

4th group, 6789

26
Q

As the firewall administrator, Claire notices a rule that permits traffic to port 80 on the server at address 47.23.56.255. What is the MOST likely reason Claire woul have to be suspicious of this rule?

The web server would never be assigned this address
This address cannot be reached by the firewall
This address is used to send a broadcast to all servers on the
subnet
This address is missing the subnet mask

A

This address is used to send a broadcast to all servers on the
subnet

An IPv4 address with 255 as the last octet broadcasts the traffic to all servers on the subnet, in this case the 47.23.56/24 subnet. By the same token, any server (web or otherwise) would never be assigned this address, but this is the result of the reason behind the correct answer. Port 80 is used by podcast servers to broadcast their traffic. The broadcast IP address can be reached by the firewall. In IPv4 if the address lacks a subnet mask, /32 is assumed.

27
Q

What should we do FIRST when we are implementing Information Security
governance in our organization?
Determine our security baselines.
Adopt security best practices for our industry.
Make our security policies.
Define our security strategy.

A
  • Define our security strategy.
28
Q

Packet filtering firewall

A

Stateless inspection.

Network layer.

Source , Destination IP addresses / ports
Protocol types
Inbound and outbound traffic direction

29
Q

Circuit-level proxy

A

session layer. look only at header packet information

30
Q

Electronic vaulting

Remote journaling

tape vaulting

electronic tap vaulting

A

Electronic vaulting - make copies of files 定期, 并非real time

Remote journaling - move journals or transactions logs, 并非files,恢复时重组

tape vaulting - 定期将tap运送到另一个site

electronic tap vaulting - 利用serial line 传送到另一个site

31
Q

In which of the following steps in the life cycle of evidence is the primary consideration that the evidence not be tampered with?

Collect

Store

Return

Analyze

Present

A

Store

32
Q

Which of the following is a memory space isolated from other running processes?

Protection domain

Trusted path

Security kernel

Execution domain

A

Protection domain.

Execution domain: An isolated area that is used by trusted processes when they are run in a privileged state. This is used in a trusted computing base (TCB).

Protection domain: Memory space isolated from other running processes in a multiprocessing system.

Trusted path: The communication channel between applications and the kernel in the TCB.

Security kernel: Provides a foundation to build a trusted computing system.

33
Q

Which type of BCP testing occurs when the operations and support personnel execute the DRP in a role-playing scenario to identify omitted steps and threats?

Simulation test

Structured walk-through test

Checklist test

Table-top exercise

A

Simulation test

34
Q

Your organization has performed a business impact analysis (BIA). During the BIA, it has been determined that there are certain risks that can affect both the primary site and the hot site. It has been decided to implement another site that is geographically dispersed from the other two sites. Which of the following alternative site strategies should the organization implement?

Hot site

Warm site

Tertiary site

Cold site

Redundant site

A

Tertiary site

35
Q

At which stage of incident response is the root cause of the incident discovered?

Analysis

Investigation

Tracking

Post-mortem

Triage

Recovery

Containment

A

Analysis.

Triage: The incident response team examines the incident to see what was affected and sets priorities

Investigation: Involves the collection of relevant data.

Containment: The damage is mitigated or contained.

Analysis: Where the root cause of the incident is discovered.

Tracking: The source ( user or device) of the incident is determined.

Post-mortem review: Completed last as part of the incident response.

Recovery: Necessary adjustments or enhancements are made to policies and procedures

36
Q

Which of the following is a requirement if a person with a need to know is given permission to operate on a government computer?

Configuration management provides mechanism to change through formal approval

Change management is for software, configuration management is for hardware

Change management provides mechanism to change configuration through formal approval

Configuration management is for software, change management is for hardware

A

Change management provides mechanism to change configuration through formal approval

37
Q

When should the law enforcement be involved for evidence to be admissible in the court of law in case of an incident?

As early as possible after incident is reported and data collected

Only when the local law enforcement has skills to deal with incident

After incident is reported and data collected and a case filed in a court

Immediately after incident occurrence without touching anything

A

As early as possible after incident is reported and data collected

38
Q

Which of the following is the standard of care that a prudent person would have exercised under the same or similar conditions?

due care

prudent care

reasonable care

due diligence

A

due care

39
Q

What type of evidence requires inference from the available facts?

Secondary evidence

Best evidence

Circumstantial evidence

Hearsay evidence

A

Circumstantial evidence presents intermediate facts that facilitate the judge and the jury to logically deduce a fact.

40
Q

Which term is used for a leased facility that contains all the resources needed for full operation?

cold site

hot site

warm site

tertiary site

A

hot site

41
Q

Which step in the investigative process includes signature resolution?

Preservation

Collection

Examination

Identification

A

Identification.

Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis

Preservation: Includes imaging technologies, chain of custody standards, and time synchronization

Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques

Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction

42
Q

What type of evidence does not require backup information?

Secondary evidence

Best evidence

Conclusive evidence

Direct evidence

A

Direct evidence

43
Q

Which step in the investigative process includes hidden data extraction?

Preservation

Collection

Examination

Identification

A

Examination

Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis

Preservation: Includes imaging technologies, chain of custody standards, and time synchronization

Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques

Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction

44
Q

Which type of BCP testing occurs when managers of each department or functional area review the BCP and make note of any modifications to the plan for the BCP committee?

Simulation test

Structured walk-through test

Checklist test

Table-top exercise

A

Checklist test

45
Q

Which of the following BEST describes the meaning of Legal permissibility in a computer crime?

Evidence is deemed by the judge to be useful to reach a decision

Evidence is deemed by the law enforcement to be presented to a judge

Evidence the judge allows in the court of law per rules of the state

Any evidence an attorney thinks they can present to the judge or jurors

A

Evidence the judge allows in the court of law per rules of the state

46
Q

At which stage of incident response are necessary adjustments or enhancements made to policies and procedures?

Analysis

Investigation

Tracking

Post-mortem

Triage

Recovery

Containment

A

Recovery.

Triage: The incident response team examines the incident to see what was affected and sets priorities

Investigation: Involves the collection of relevant data.

Containment: The damage is mitigated or contained.

Analysis: Where the root cause of the incident is discovered.

Tracking: The source ( user or device) of the incident is determined. Post-mortem review: Completed last as part of the incident response.

Recovery: Necessary adjustments or enhancements are made to policies and procedures.

47
Q

Which of the following steps in the life cycle of evidence comes last?

Collect

Store

Return

Analyze

Present

A

Return.

  1. Collect evidence from the site.
  2. Analyze the evidence using a team of experts.
  3. Store the evidence in a secure place to ensure that the evidence is not tampered with.
  4. Present the evidence in a court of law.
  5. Return the evidence to the owner after the proceedings are over.
48
Q

What type of control is separation of duties and responsibilities, which is valuable in deterring fraud by ensuring that no single individual can compromise a system?

Preventive administrative control

Technological user control

Logical and technical control

Administrative human control

A

Preventive administrative control

49
Q

In which phase of embedded device analysis will the investigator extract the artifacts from the original media and then organize them on CD-ROM or DVD-ROM?

Preservation

Collection

Analysis

Presentation

A

Presentation.

Collection: Artifacts considered to be of evidentiary value (digital data in the form of disk drives, flash memory drives, or other forms of digital media) are identified and collected.

Preservation: Focuses on preserving original artifacts in a way that is reliable, complete, accurate, and verifiable. Cryptographic hashing, checksums, and documentation are all key components of the preservation phase.

Analysis or Filtering: Investigators will attempt to filter out data, which is determined not to contain any artifacts of evidentiary value.

Presentation: Potential artifacts of evidentiary value are presented normally starting with the investigator extracting the artifacts from the original media and then staging and organizing them on CD-ROM or DVD-ROM.

50
Q

Which step in the investigative process includes data reduction?

Preservation

Collection

Examination

Identification

A

Collection

Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis

Preservation: Includes imaging technologies, chain of custody standards, and time synchronization

Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques

Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction

51
Q

When an organization evaluates information to identify vulnerabilities, threats, and issues related to risk, it has applied which security principle?

Due diligence

Due care

Job rotation

Separation of duties

A

Due diligence

52
Q

Which type of BCP testing is most accurate?

Simulation test

Structured walk-through test

Checklist test

Table-top exercise

A

Structured walk-through test

53
Q

Which electronic backup method copies files as modifications occur in real time?

Tape vaulting

Electronic vaulting

Synchronous replication

Asynchronous replication

A

Electronic vaulting

54
Q

What is it known as when two internal departments of a company agree to support each other and respond to problems within a reasonable timeframe while providing required service to each other?

Service level agreement

Branch level agreement

Internal agreement

Administrative agreement

A

Service level agreement

55
Q

Which stage of incident response involves the collection of relevant data?

Analysis

Investigation

Tracking

Post-mortem

Triage

Recovery

Containment

A

Investigation.

Triage: The incident response team examines the incident to see what was affected and sets priorities

Investigation: Involves the collection of relevant data.

Containment: The damage is mitigated or contained.

Analysis: Where the root cause of the incident is discovered.

Tracking: The source ( user or device) of the incident is determined.

Post-mortem review: Completed last as part of the incident response.

Recovery: Necessary adjustments or enhancements are made to policies and procedures.

56
Q

Which of the following types of evidence should be collected second in an investigation of a computer crime?

Memory contents

Raw disk blocks

Swap files

File system information

Network processes

System processes

A

Swap files

57
Q

What type of evidence does not require any corroboration?

Secondary evidence

Best evidence

Conclusive evidence

Hearsay evidence

A

Hearsay evidence

58
Q

Which of the following is an isolated area that is used by trusted processes?

Protection domain

Trusted path

Security kernel

Execution domain

A

Execution domain

59
Q

Which step in the investigative process includes chain of custody standards?

Preservation

Collection

Examination

Identification

A

Preservation

60
Q

What type of evidence is not adequate to implicate a suspect but can complement the primary evidence?

Secondary evidence

Corroborative evidence

Circumstantial evidence

Hearsay evidence

A

Corroborative evidence

61
Q

At which stage of incident response is the source of the incident determined?

Analysis

Investigation

Tracking

Post-mortem

Triage

Recovery

Containment

A

Tracking.

Triage: The incident response team examines the incident to see what was affected and sets priorities

Investigation: Involves the collection of relevant data.

Containment: The damage is mitigated or contained.

Analysis: Where the root cause of the incident is discovered.

Tracking: The source ( user or device) of the incident is determined.

Post-mortem review: Completed last as part of the incident response.

Recovery: Necessary adjustments or enhancements are made to policies and procedures.

62
Q

Directing the output of the forensic imaging software to which interface is recommended when performing forensic imaging?

SCSI

Ethernet

Bluetooth

802.11

A

SCSI

63
Q

Which of the following arrangements for fault tolerance provide the least amount of protection contractually?

Warm site

Hot site

Reciprocal agreement

Cold site

A

Reciprocal agreement