Total - Ch7 Flashcards by illnino uk

Admissible evidence

Relevance
Reliability
Legality

How well did you know this?

Not at all

Perfectly

Which type of security analyst spends most of their time monitoring security tools and other technology platforms for suspicious activity?

Tier 1 security analysts spend most of their time monitoring security tools and other technology platforms for suspicious activity. For all their sophistication, these tools tend to generate a lot of false positives (that is, false alarms), so security analysts need to go through and verify the alerts generated by these tools. These analysts are typically the least experienced, so their job is to triage alerts, handling the more mundane and passing on the more complex and dangerous ones to the more experienced staff in the security operations center (SOC).

Tier 2 analysts can dig deeper into alerts to determine if they constitute security incidents. If they do, these analysts can then coordinate with incident responders and intelligence analysts to further investigate, contain, and eradicate the threats.

How well did you know this?

Not at all

Perfectly

Disaster recovery and business continuity plans become outdated for all of the following reasons except __________.
A.
A company’s infrastructure changes

B.
Exercising of the disaster recovery plan

C.
Personnel turnover

D.
Company and departmental reorganizations

Exercising of the disaster recovery plan

How well did you know this?

Not at all

Perfectly

Which of the following is the correct sequence of the seven-stage intrusion model known as the Cyber Kill Chain framework?

Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.

How well did you know this?

Not at all

Perfectly

During which of the following phases of incident management does the incident response team contain the damage caused by a security incident?

A.
Preservation

B.
Response

C.
Eradication

D.
Remediation

B is correct. The goal of containment during the response phase of incident management is to prevent or reduce any further damage from this incident so that the incident response (IR) team can begin to mitigate and recover. Done properly, this buys the IR team time for a proper investigation and determination of the incident’s root cause.

How well did you know this?

Not at all

Perfectly

Which of the following describes the maximum amount of time available for certifying the functionality and integrity of restored systems and data so they can be put back into production?

A.
Maximum tolerable downtime (MTD)

B.
Work recovery time (WRT)

C.
Recovery time objective (RTO)

D.
Recovery point objective (RPO)

B is correct. The work recovery time (WRT) is the maximum amount of time available for certifying the functionality and integrity of restored systems and data so they can be put back into production. RTO usually deals with getting the infrastructure and systems back up and running, and WRT deals with ensuring business users can get back to work using them. Another way to think of WRT is as the remainder of the overall MTD value after the RTO has passed.

MTD = RTO + WRT

How well did you know this?

Not at all

Perfectly

Which of the following creates a connection between the two communicating systems at the session layer of the OSI model?

A.
Next-generation firewall

B.
Application-level proxy

C.
Circuit-level proxy

D.
Packet-filtering firewall

C is correct. A proxy firewall stands between a trusted network and an untrusted network and makes the connection, each way, on behalf of the source. What is important is that a proxy firewall breaks the communication channel; there is no direct connection between the two communicating devices. Where a packet-filtering device just monitors traffic as it is traversing a network connection, a proxy ends the communication session and restarts it on behalf of the sending system. A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot “look into” the contents of a packet; thus, it does not carry out deep packet inspection (DPI). It can only make access decisions based on protocol header and session information that is available to it.

How well did you know this?

Not at all

Perfectly

Enticement vs Entrapment

Entrapment: illegal
Enticement: Legal

How well did you know this?

Not at all

Perfectly

Which of the following is considered a best practice when interviewing willing witnesses?

A.
Automatically assume the individual is guilty

B.
Compartmentalize information

C.
Interview multiple suspects at the same time

D.
Record the interview

B is correct. When interviewing someone during an investigation, you should make every effort to compartmentalize information. Your interview plan should address what information you share with each interviewee, and what you don’t share. You should not tell one interviewee what another said unless it’s absolutely essential.

How well did you know this?

Not at all

Perfectly

Which of the following steps in the incident management process is considered the most important?

A.
Response

B.
Detection

C.
Mitigation

D.
Recovery

B is correct. Detection is the first and most important step in the incident management process. Responding to an incident requires realizing that you have a problem in the first place. The steps in the process are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

How well did you know this?

Not at all

Perfectly

hearsay evidence

A statement made outside of the court proceeding that is introduced into court as evidence

How well did you know this?

Not at all

Perfectly

Which is primarily concerned with the chain of custody process?

Collection . ISO/IEC 27037, the international standard on digital evidence handling, identifies four phases of evidence handling: identification, collection, acquisition, and preservation. Evidence collection is the process of gaining physical control over devices that could potentially have evidentiary value. A chain of custody documents each person that has control of the evidence at every point in time. In large investigations, one person may collect evidence, another transport it, and a third store it. Keeping track of all these individuals is critical to proving in court that the evidence was not tampered with.

How well did you know this?

Not at all

Perfectly

Which of the following incorporates functions of all previous legacy firewalls and also includes signature-based and/or behavioral analysis IPS engines?

A.
Next-generation firewall (NGFW)

B.
Proxy firewall

C.
Packet-filtering firewall

D.
Circuit-level proxy

A is correct. Some of the most advanced NGFWs include features that allow them to share signatures with a cloud-based aggregator so that once a new attack is detected by one firewall, all other firewalls manufactured by that vendor become aware of the attack signature.

D is incorrect. A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot “look into” the contents of a packet; thus, it does not carry out deep packet inspection (DPI). It can only make access decisions based on protocol header and session information that is available to it.

How well did you know this?

Not at all

Perfectly

Change management vs configuration management

Change management is a business process and configuration management is an operational process.

How well did you know this?

Not at all

Perfectly

Incremental backup vs Differential backup

Incremental backup: 快的. Removes the archive bit

Full backup: removes the archive bit and 先于incremental & full backup.

Differential backup contains all of the data that has changed since last full backup.

How well did you know this?

Not at all

Perfectly

Which of the following is the practice of minimizing the risks associated with the addition, modification, or removal of anything that could have an effect on IT services?

A.
Configuration management

B.
Risk management

C.
Change management

D.
Baseline management

C.
Change management

How well did you know this?

Not at all

Perfectly

Which of the following detection techniques looks at the overall structure of suspected code and evaluates the coded instructions, logic functions, and the type of data within the code?

A.
Signature-based detection

B.
Heuristic detection

C.
Fingerprint-based detection

D.
Anomaly-based detection

B is correct. Heuristic detection examines code from a real-time perspective and looks at several characteristics of the code to determine if it is malicious.

How well did you know this?

Not at all

Perfectly

Which of the following is the cyclical process of identifying asset weaknesses, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels?

A.
Vulnerability management

B.
Patch management

C.
Risk management

D.
Account management

A is correct. Vulnerability management is the cyclical process of identifying vulnerabilities, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels. Many people equate vulnerability management with periodically running a vulnerability scanner against their systems, but the process must include more than just that. Vulnerabilities exist not only in software, which is what the scanners assess, but also in business processes and in people.

C is incorrect. Risk management is the overall holistic management of different components of risk, such as threats, vulnerabilities, likelihood of a negative event occurring, and the impact of that negative event on the asset. Risk management covers far more than vulnerability management.

How well did you know this?

Not at all

Perfectly

Which of the following change management processes is in the correct order?

A.
Request the change, evaluate the change, plan the change, implement the change, review the change, close or sustain the change

B.
Request the change, plan the change, implement the change, evaluate the change, review the change, close or sustain the change

C.
Plan the change, request the change, evaluate the change, implement the change, review the change, close or sustain the change

D.
Request the change, review the change, evaluate the change, plan the change, implement the change, close or sustain the change

A is correct. Although each organization will implement its own change management processes differently, the general steps remain the same. The correct order is request the change, evaluate the change, plan the change, implement the change, review the change, close or sustain the change.

How well did you know this?

Not at all

Perfectly

What does a first generation firewall inspect?

The packets to see if they match any of the IF/THEN statements

How well did you know this?

Not at all

Perfectly

You are the CIO of a large financial institution that is planning to implement a blockchain solution to streamline its internal processes and improve security. As part of this process, you have to decide on the type of consensus algorithm to use.
Which of the following consensus algorithms is the most suitable for the financial institution’s blockchain solution?

Delegated Proof of Stake
Proof of Stake
Proof of Work
Federated Byzantine Agreement

The Federated Byzantine Agreement (FBA) is a suitable consensus algorithm for this case. The FBA is used in permissioned (private) blockchains where the participants are known and trusted entities. It doesn’t require extensive computational resources like Proof of Work and allows for faster transaction validation. It provides robustness in the face of faulty nodes and can even tolerate malicious participants to a certain extent. It does this by forming ‘quorums’ or groups of nodes that agree on validations, thus maintaining the integrity of the network. The financial institution can control who participates in the blockchain network, thereby ensuring security, privacy, and compliance with regulatory requirements.

How well did you know this?

Not at all

Perfectly

At what point do we reach our RTO (Recovery time objective)?

A. When the system is completely offline.
B. When the system hardware is restored.
C. When the system software is restored.
D. When the system is back in production.

The RTO (Recovery time objective) is when we have restored the system hardware.

Us getting the system back into production is the MTD (Maximum Tolerable Downtime).

When the system is completely offline is a distractor,
and when the system software is restored is the WRT (Work Recovery Time).

The maximum amount of time we can be down, must not exceed the time it takes us to rebuild the hardware, install the software and test the system (MTD > RTO + WRT).

How well did you know this?

Not at all

Perfectly

What is the BEST practice for reporting an information security incident according
to ISO 27035?
* Notify the relevant authorities immediately
Report the incident to the CEO immediately
Conduct an internal investigation before reporting the incident
* Report the incident to the board of directors first

According to ISO 27035, the BEST practice for reporting an information security incident is to notify the relevant authorities immediately. This ensures that the incident is properly investigated and any necessary action is taken to prevent further damage or loss.

How well did you know this?

Not at all

Perfectly

Claire is setting up a new contingency plan. What is MOST likely to be the first step Claire will complete?

Ensure application software is available for use
Ensure operational team procedures are available
Ensure operating system software is available to be installed as required
Ensure hardware is available for use

Ensure hardware is available for use

How well did you know this?

Not at all

Perfectly

Which of these would we do FIRST after a successful DOS (Distributed Denial-Of-Service) attack? Restore servers using backup media from our offsite storage facility. Isolate the affected subnets. Do an assessment of our systems to determine their status. Do an impact analysis of the DDOS attack.

* Do an assessment of our systems to determine their status.

Mark wants to determine the subnet address of the IPv6 address 2001:1996:3451:6789::1782. Where can he find the subnet address and what is the value? 1st group, 2001 3rd group, 3451 4th group, 6789 8th group, 1782

4th group, 6789

As the firewall administrator, Claire notices a rule that permits traffic to port 80 on the server at address 47.23.56.255. What is the MOST likely reason Claire woul have to be suspicious of this rule? The web server would never be assigned this address This address cannot be reached by the firewall This address is used to send a broadcast to all servers on the subnet This address is missing the subnet mask

This address is used to send a broadcast to all servers on the subnet An IPv4 address with 255 as the last octet broadcasts the traffic to all servers on the subnet, in this case the 47.23.56/24 subnet. By the same token, any server (web or otherwise) would never be assigned this address, but this is the result of the reason behind the correct answer. Port 80 is used by podcast servers to broadcast their traffic. The broadcast IP address can be reached by the firewall. In IPv4 if the address lacks a subnet mask, /32 is assumed.

What should we do FIRST when we are implementing Information Security governance in our organization? Determine our security baselines. Adopt security best practices for our industry. Make our security policies. Define our security strategy.

* Define our security strategy.

Packet filtering firewall

Stateless inspection. Network layer. Source , Destination IP addresses / ports Protocol types Inbound and outbound traffic direction

Circuit-level proxy

session layer. look only at header packet information

Electronic vaulting Remote journaling tape vaulting electronic tap vaulting

Electronic vaulting - make copies of files 定期，并非real time Remote journaling - move journals or transactions logs, 并非files，恢复时重组 tape vaulting - 定期将tap运送到另一个site electronic tap vaulting - 利用serial line 传送到另一个site

In which of the following steps in the life cycle of evidence is the primary consideration that the evidence not be tampered with? Collect Store Return Analyze Present

Store

Which of the following is a memory space isolated from other running processes? Protection domain Trusted path Security kernel Execution domain

Protection domain. Execution domain: An isolated area that is used by trusted processes when they are run in a privileged state. This is used in a trusted computing base (TCB). Protection domain: Memory space isolated from other running processes in a multiprocessing system. Trusted path: The communication channel between applications and the kernel in the TCB. Security kernel: Provides a foundation to build a trusted computing system.

Which type of BCP testing occurs when the operations and support personnel execute the DRP in a role-playing scenario to identify omitted steps and threats? Simulation test Structured walk-through test Checklist test Table-top exercise

Simulation test

Your organization has performed a business impact analysis (BIA). During the BIA, it has been determined that there are certain risks that can affect both the primary site and the hot site. It has been decided to implement another site that is geographically dispersed from the other two sites. Which of the following alternative site strategies should the organization implement? Hot site Warm site Tertiary site Cold site Redundant site

Tertiary site

At which stage of incident response is the root cause of the incident discovered? Analysis Investigation Tracking Post-mortem Triage Recovery Containment

Analysis. Triage: The incident response team examines the incident to see what was affected and sets priorities Investigation: Involves the collection of relevant data. Containment: The damage is mitigated or contained. Analysis: Where the root cause of the incident is discovered. Tracking: The source ( user or device) of the incident is determined. Post-mortem review: Completed last as part of the incident response. Recovery: Necessary adjustments or enhancements are made to policies and procedures

Which of the following is a requirement if a person with a need to know is given permission to operate on a government computer? Configuration management provides mechanism to change through formal approval Change management is for software, configuration management is for hardware Change management provides mechanism to change configuration through formal approval Configuration management is for software, change management is for hardware

Change management provides mechanism to change configuration through formal approval

When should the law enforcement be involved for evidence to be admissible in the court of law in case of an incident? As early as possible after incident is reported and data collected Only when the local law enforcement has skills to deal with incident After incident is reported and data collected and a case filed in a court Immediately after incident occurrence without touching anything

As early as possible after incident is reported and data collected

Which of the following is the standard of care that a prudent person would have exercised under the same or similar conditions? due care prudent care reasonable care due diligence

due care

What type of evidence requires inference from the available facts? Secondary evidence Best evidence Circumstantial evidence Hearsay evidence

Circumstantial evidence presents intermediate facts that facilitate the judge and the jury to logically deduce a fact.

Which term is used for a leased facility that contains all the resources needed for full operation? cold site hot site warm site tertiary site

hot site

Which step in the investigative process includes signature resolution? Preservation Collection Examination Identification

Identification. Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis Preservation: Includes imaging technologies, chain of custody standards, and time synchronization Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction

What type of evidence does not require backup information? Secondary evidence Best evidence Conclusive evidence Direct evidence

Direct evidence

Which step in the investigative process includes hidden data extraction? Preservation Collection Examination Identification

Examination Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis Preservation: Includes imaging technologies, chain of custody standards, and time synchronization Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction

Which type of BCP testing occurs when managers of each department or functional area review the BCP and make note of any modifications to the plan for the BCP committee? Simulation test Structured walk-through test Checklist test Table-top exercise

Checklist test

Which of the following BEST describes the meaning of Legal permissibility in a computer crime? Evidence is deemed by the judge to be useful to reach a decision Evidence is deemed by the law enforcement to be presented to a judge Evidence the judge allows in the court of law per rules of the state Any evidence an attorney thinks they can present to the judge or jurors

Evidence the judge allows in the court of law per rules of the state

At which stage of incident response are necessary adjustments or enhancements made to policies and procedures? Analysis Investigation Tracking Post-mortem Triage Recovery Containment

Recovery. Triage: The incident response team examines the incident to see what was affected and sets priorities Investigation: Involves the collection of relevant data. Containment: The damage is mitigated or contained. Analysis: Where the root cause of the incident is discovered. Tracking: The source ( user or device) of the incident is determined. Post-mortem review: Completed last as part of the incident response. Recovery: Necessary adjustments or enhancements are made to policies and procedures.

Which of the following steps in the life cycle of evidence comes last? Collect Store Return Analyze Present

Return. 1. Collect evidence from the site. 2. Analyze the evidence using a team of experts. 3. Store the evidence in a secure place to ensure that the evidence is not tampered with. 4. Present the evidence in a court of law. 5. Return the evidence to the owner after the proceedings are over.

What type of control is separation of duties and responsibilities, which is valuable in deterring fraud by ensuring that no single individual can compromise a system? Preventive administrative control Technological user control Logical and technical control Administrative human control

Preventive administrative control

In which phase of embedded device analysis will the investigator extract the artifacts from the original media and then organize them on CD-ROM or DVD-ROM? Preservation Collection Analysis Presentation

Presentation. Collection: Artifacts considered to be of evidentiary value (digital data in the form of disk drives, flash memory drives, or other forms of digital media) are identified and collected. Preservation: Focuses on preserving original artifacts in a way that is reliable, complete, accurate, and verifiable. Cryptographic hashing, checksums, and documentation are all key components of the preservation phase. Analysis or Filtering: Investigators will attempt to filter out data, which is determined not to contain any artifacts of evidentiary value. Presentation: Potential artifacts of evidentiary value are presented normally starting with the investigator extracting the artifacts from the original media and then staging and organizing them on CD-ROM or DVD-ROM.

Which step in the investigative process includes data reduction? Preservation Collection Examination Identification

Collection Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis Preservation: Includes imaging technologies, chain of custody standards, and time synchronization Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction

When an organization evaluates information to identify vulnerabilities, threats, and issues related to risk, it has applied which security principle? Due diligence Due care Job rotation Separation of duties

Due diligence

Which type of BCP testing is most accurate? Simulation test Structured walk-through test Checklist test Table-top exercise

Structured walk-through test

Which electronic backup method copies files as modifications occur in real time? Tape vaulting Electronic vaulting Synchronous replication Asynchronous replication

Electronic vaulting

What is it known as when two internal departments of a company agree to support each other and respond to problems within a reasonable timeframe while providing required service to each other? Service level agreement Branch level agreement Internal agreement Administrative agreement

Service level agreement

Which stage of incident response involves the collection of relevant data? Analysis Investigation Tracking Post-mortem Triage Recovery Containment

Investigation. Triage: The incident response team examines the incident to see what was affected and sets priorities Investigation: Involves the collection of relevant data. Containment: The damage is mitigated or contained. Analysis: Where the root cause of the incident is discovered. Tracking: The source ( user or device) of the incident is determined. Post-mortem review: Completed last as part of the incident response. Recovery: Necessary adjustments or enhancements are made to policies and procedures.

Which of the following types of evidence should be collected second in an investigation of a computer crime? Memory contents Raw disk blocks Swap files File system information Network processes System processes

Swap files

What type of evidence does not require any corroboration? Secondary evidence Best evidence Conclusive evidence Hearsay evidence

Hearsay evidence

Which of the following is an isolated area that is used by trusted processes? Protection domain Trusted path Security kernel Execution domain

Execution domain

Which step in the investigative process includes chain of custody standards? Preservation Collection Examination Identification

Preservation

What type of evidence is not adequate to implicate a suspect but can complement the primary evidence? Secondary evidence Corroborative evidence Circumstantial evidence Hearsay evidence

Corroborative evidence

At which stage of incident response is the source of the incident determined? Analysis Investigation Tracking Post-mortem Triage Recovery Containment

Tracking. Triage: The incident response team examines the incident to see what was affected and sets priorities Investigation: Involves the collection of relevant data. Containment: The damage is mitigated or contained. Analysis: Where the root cause of the incident is discovered. Tracking: The source ( user or device) of the incident is determined. Post-mortem review: Completed last as part of the incident response. Recovery: Necessary adjustments or enhancements are made to policies and procedures.

Directing the output of the forensic imaging software to which interface is recommended when performing forensic imaging? SCSI Ethernet Bluetooth 802.11

SCSI

Which of the following arrangements for fault tolerance provide the least amount of protection contractually? Warm site Hot site Reciprocal agreement Cold site

Reciprocal agreement