Total - Ch7 Flashcards
Admissible evidence
Relevance
Reliability
Legality
Which type of security analyst spends most of their time monitoring security tools and other technology platforms for suspicious activity?
Tier 1 security analysts spend most of their time monitoring security tools and other technology platforms for suspicious activity. For all their sophistication, these tools tend to generate a lot of false positives (that is, false alarms), so security analysts need to go through and verify the alerts generated by these tools. These analysts are typically the least experienced, so their job is to triage alerts, handling the more mundane and passing on the more complex and dangerous ones to the more experienced staff in the security operations center (SOC).
Tier 2 analysts can dig deeper into alerts to determine if they constitute security incidents. If they do, these analysts can then coordinate with incident responders and intelligence analysts to further investigate, contain, and eradicate the threats.
Disaster recovery and business continuity plans become outdated for all of the following reasons except __________.
A.
A company’s infrastructure changes
B.
Exercising of the disaster recovery plan
C.
Personnel turnover
D.
Company and departmental reorganizations
Exercising of the disaster recovery plan
Which of the following is the correct sequence of the seven-stage intrusion model known as the Cyber Kill Chain framework?
Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.
During which of the following phases of incident management does the incident response team contain the damage caused by a security incident?
A.
Preservation
B.
Response
C.
Eradication
D.
Remediation
B is correct. The goal of containment during the response phase of incident management is to prevent or reduce any further damage from this incident so that the incident response (IR) team can begin to mitigate and recover. Done properly, this buys the IR team time for a proper investigation and determination of the incident’s root cause.
Which of the following describes the maximum amount of time available for certifying the functionality and integrity of restored systems and data so they can be put back into production?
A.
Maximum tolerable downtime (MTD)
B.
Work recovery time (WRT)
C.
Recovery time objective (RTO)
D.
Recovery point objective (RPO)
B is correct. The work recovery time (WRT) is the maximum amount of time available for certifying the functionality and integrity of restored systems and data so they can be put back into production. RTO usually deals with getting the infrastructure and systems back up and running, and WRT deals with ensuring business users can get back to work using them. Another way to think of WRT is as the remainder of the overall MTD value after the RTO has passed.
MTD = RTO + WRT
Which of the following creates a connection between the two communicating systems at the session layer of the OSI model?
A.
Next-generation firewall
B.
Application-level proxy
C.
Circuit-level proxy
D.
Packet-filtering firewall
C is correct. A proxy firewall stands between a trusted network and an untrusted network and makes the connection, each way, on behalf of the source. What is important is that a proxy firewall breaks the communication channel; there is no direct connection between the two communicating devices. Where a packet-filtering device just monitors traffic as it is traversing a network connection, a proxy ends the communication session and restarts it on behalf of the sending system. A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot “look into” the contents of a packet; thus, it does not carry out deep packet inspection (DPI). It can only make access decisions based on protocol header and session information that is available to it.
Enticement vs Entrapment
Entrapment: illegal
Enticement: Legal
Which of the following is considered a best practice when interviewing willing witnesses?
A.
Automatically assume the individual is guilty
B.
Compartmentalize information
C.
Interview multiple suspects at the same time
D.
Record the interview
B is correct. When interviewing someone during an investigation, you should make every effort to compartmentalize information. Your interview plan should address what information you share with each interviewee, and what you don’t share. You should not tell one interviewee what another said unless it’s absolutely essential.
Which of the following steps in the incident management process is considered the most important?
A.
Response
B.
Detection
C.
Mitigation
D.
Recovery
B is correct. Detection is the first and most important step in the incident management process. Responding to an incident requires realizing that you have a problem in the first place. The steps in the process are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.
hearsay evidence
A statement made outside of the court proceeding that is introduced into court as evidence
Which is primarily concerned with the chain of custody process?
Collection . ISO/IEC 27037, the international standard on digital evidence handling, identifies four phases of evidence handling: identification, collection, acquisition, and preservation. Evidence collection is the process of gaining physical control over devices that could potentially have evidentiary value. A chain of custody documents each person that has control of the evidence at every point in time. In large investigations, one person may collect evidence, another transport it, and a third store it. Keeping track of all these individuals is critical to proving in court that the evidence was not tampered with.
Which of the following incorporates functions of all previous legacy firewalls and also includes signature-based and/or behavioral analysis IPS engines?
A.
Next-generation firewall (NGFW)
B.
Proxy firewall
C.
Packet-filtering firewall
D.
Circuit-level proxy
A is correct. Some of the most advanced NGFWs include features that allow them to share signatures with a cloud-based aggregator so that once a new attack is detected by one firewall, all other firewalls manufactured by that vendor become aware of the attack signature.
D is incorrect. A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot “look into” the contents of a packet; thus, it does not carry out deep packet inspection (DPI). It can only make access decisions based on protocol header and session information that is available to it.
Change management vs configuration management
Change management is a business process and configuration management is an operational process.
Incremental backup vs Differential backup
Incremental backup: 快的. Removes the archive bit
Full backup: removes the archive bit and 先于incremental & full backup.
Differential backup contains all of the data that has changed since last full backup.
Which of the following is the practice of minimizing the risks associated with the addition, modification, or removal of anything that could have an effect on IT services?
A.
Configuration management
B.
Risk management
C.
Change management
D.
Baseline management
C.
Change management
Which of the following detection techniques looks at the overall structure of suspected code and evaluates the coded instructions, logic functions, and the type of data within the code?
A.
Signature-based detection
B.
Heuristic detection
C.
Fingerprint-based detection
D.
Anomaly-based detection
B is correct. Heuristic detection examines code from a real-time perspective and looks at several characteristics of the code to determine if it is malicious.
Which of the following is the cyclical process of identifying asset weaknesses, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels?
A.
Vulnerability management
B.
Patch management
C.
Risk management
D.
Account management
A is correct. Vulnerability management is the cyclical process of identifying vulnerabilities, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels. Many people equate vulnerability management with periodically running a vulnerability scanner against their systems, but the process must include more than just that. Vulnerabilities exist not only in software, which is what the scanners assess, but also in business processes and in people.
C is incorrect. Risk management is the overall holistic management of different components of risk, such as threats, vulnerabilities, likelihood of a negative event occurring, and the impact of that negative event on the asset. Risk management covers far more than vulnerability management.
Which of the following change management processes is in the correct order?
A.
Request the change, evaluate the change, plan the change, implement the change, review the change, close or sustain the change
B.
Request the change, plan the change, implement the change, evaluate the change, review the change, close or sustain the change
C.
Plan the change, request the change, evaluate the change, implement the change, review the change, close or sustain the change
D.
Request the change, review the change, evaluate the change, plan the change, implement the change, close or sustain the change
A is correct. Although each organization will implement its own change management processes differently, the general steps remain the same. The correct order is request the change, evaluate the change, plan the change, implement the change, review the change, close or sustain the change.
What does a first generation firewall inspect?
The packets to see if they match any of the IF/THEN statements
You are the CIO of a large financial institution that is planning to implement a blockchain solution to streamline its internal processes and improve security. As part of this process, you have to decide on the type of consensus algorithm to use.
Which of the following consensus algorithms is the most suitable for the financial institution’s blockchain solution?
Delegated Proof of Stake
Proof of Stake
Proof of Work
Federated Byzantine Agreement
The Federated Byzantine Agreement (FBA) is a suitable consensus algorithm for this case. The FBA is used in permissioned (private) blockchains where the participants are known and trusted entities. It doesn’t require extensive computational resources like Proof of Work and allows for faster transaction validation. It provides robustness in the face of faulty nodes and can even tolerate malicious participants to a certain extent. It does this by forming ‘quorums’ or groups of nodes that agree on validations, thus maintaining the integrity of the network. The financial institution can control who participates in the blockchain network, thereby ensuring security, privacy, and compliance with regulatory requirements.
At what point do we reach our RTO (Recovery time objective)?
A. When the system is completely offline.
B. When the system hardware is restored.
C. When the system software is restored.
D. When the system is back in production.
The RTO (Recovery time objective) is when we have restored the system hardware.
Us getting the system back into production is the MTD (Maximum Tolerable Downtime).
When the system is completely offline is a distractor,
and when the system software is restored is the WRT (Work Recovery Time).
The maximum amount of time we can be down, must not exceed the time it takes us to rebuild the hardware, install the software and test the system (MTD > RTO + WRT).
What is the BEST practice for reporting an information security incident according
to ISO 27035?
* Notify the relevant authorities immediately
Report the incident to the CEO immediately
Conduct an internal investigation before reporting the incident
* Report the incident to the board of directors first
According to ISO 27035, the BEST practice for reporting an information security incident is to notify the relevant authorities immediately. This ensures that the incident is properly investigated and any necessary action is taken to prevent further damage or loss.
Claire is setting up a new contingency plan. What is MOST likely to be the first step Claire will complete?
Ensure application software is available for use
Ensure operational team procedures are available
Ensure operating system software is available to be installed as required
Ensure hardware is available for use
Ensure hardware is available for use
Which of these would we do FIRST after a successful DOS (Distributed Denial-Of-Service) attack?
Restore servers using backup media from our offsite storage facility.
Isolate the affected subnets.
Do an assessment of our systems to determine their status.
Do an impact analysis of the DDOS attack.
- Do an assessment of our systems to determine their status.
Mark wants to determine the subnet address of the IPv6 address
2001:1996:3451:6789::1782. Where can he find the subnet address and what is the value?
1st group, 2001
3rd group, 3451
4th group, 6789
8th group, 1782
4th group, 6789
As the firewall administrator, Claire notices a rule that permits traffic to port 80 on the server at address 47.23.56.255. What is the MOST likely reason Claire woul have to be suspicious of this rule?
The web server would never be assigned this address
This address cannot be reached by the firewall
This address is used to send a broadcast to all servers on the
subnet
This address is missing the subnet mask
This address is used to send a broadcast to all servers on the
subnet
An IPv4 address with 255 as the last octet broadcasts the traffic to all servers on the subnet, in this case the 47.23.56/24 subnet. By the same token, any server (web or otherwise) would never be assigned this address, but this is the result of the reason behind the correct answer. Port 80 is used by podcast servers to broadcast their traffic. The broadcast IP address can be reached by the firewall. In IPv4 if the address lacks a subnet mask, /32 is assumed.
What should we do FIRST when we are implementing Information Security
governance in our organization?
Determine our security baselines.
Adopt security best practices for our industry.
Make our security policies.
Define our security strategy.
- Define our security strategy.
Packet filtering firewall
Stateless inspection.
Network layer.
Source , Destination IP addresses / ports
Protocol types
Inbound and outbound traffic direction
Circuit-level proxy
session layer. look only at header packet information
Electronic vaulting
Remote journaling
tape vaulting
electronic tap vaulting
Electronic vaulting - make copies of files 定期, 并非real time
Remote journaling - move journals or transactions logs, 并非files,恢复时重组
tape vaulting - 定期将tap运送到另一个site
electronic tap vaulting - 利用serial line 传送到另一个site
In which of the following steps in the life cycle of evidence is the primary consideration that the evidence not be tampered with?
Collect
Store
Return
Analyze
Present
Store
Which of the following is a memory space isolated from other running processes?
Protection domain
Trusted path
Security kernel
Execution domain
Protection domain.
Execution domain: An isolated area that is used by trusted processes when they are run in a privileged state. This is used in a trusted computing base (TCB).
Protection domain: Memory space isolated from other running processes in a multiprocessing system.
Trusted path: The communication channel between applications and the kernel in the TCB.
Security kernel: Provides a foundation to build a trusted computing system.
Which type of BCP testing occurs when the operations and support personnel execute the DRP in a role-playing scenario to identify omitted steps and threats?
Simulation test
Structured walk-through test
Checklist test
Table-top exercise
Simulation test
Your organization has performed a business impact analysis (BIA). During the BIA, it has been determined that there are certain risks that can affect both the primary site and the hot site. It has been decided to implement another site that is geographically dispersed from the other two sites. Which of the following alternative site strategies should the organization implement?
Hot site
Warm site
Tertiary site
Cold site
Redundant site
Tertiary site
At which stage of incident response is the root cause of the incident discovered?
Analysis
Investigation
Tracking
Post-mortem
Triage
Recovery
Containment
Analysis.
Triage: The incident response team examines the incident to see what was affected and sets priorities
Investigation: Involves the collection of relevant data.
Containment: The damage is mitigated or contained.
Analysis: Where the root cause of the incident is discovered.
Tracking: The source ( user or device) of the incident is determined.
Post-mortem review: Completed last as part of the incident response.
Recovery: Necessary adjustments or enhancements are made to policies and procedures
Which of the following is a requirement if a person with a need to know is given permission to operate on a government computer?
Configuration management provides mechanism to change through formal approval
Change management is for software, configuration management is for hardware
Change management provides mechanism to change configuration through formal approval
Configuration management is for software, change management is for hardware
Change management provides mechanism to change configuration through formal approval
When should the law enforcement be involved for evidence to be admissible in the court of law in case of an incident?
As early as possible after incident is reported and data collected
Only when the local law enforcement has skills to deal with incident
After incident is reported and data collected and a case filed in a court
Immediately after incident occurrence without touching anything
As early as possible after incident is reported and data collected
Which of the following is the standard of care that a prudent person would have exercised under the same or similar conditions?
due care
prudent care
reasonable care
due diligence
due care
What type of evidence requires inference from the available facts?
Secondary evidence
Best evidence
Circumstantial evidence
Hearsay evidence
Circumstantial evidence presents intermediate facts that facilitate the judge and the jury to logically deduce a fact.
Which term is used for a leased facility that contains all the resources needed for full operation?
cold site
hot site
warm site
tertiary site
hot site
Which step in the investigative process includes signature resolution?
Preservation
Collection
Examination
Identification
Identification.
Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis
Preservation: Includes imaging technologies, chain of custody standards, and time synchronization
Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques
Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction
What type of evidence does not require backup information?
Secondary evidence
Best evidence
Conclusive evidence
Direct evidence
Direct evidence
Which step in the investigative process includes hidden data extraction?
Preservation
Collection
Examination
Identification
Examination
Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis
Preservation: Includes imaging technologies, chain of custody standards, and time synchronization
Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques
Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction
Which type of BCP testing occurs when managers of each department or functional area review the BCP and make note of any modifications to the plan for the BCP committee?
Simulation test
Structured walk-through test
Checklist test
Table-top exercise
Checklist test
Which of the following BEST describes the meaning of Legal permissibility in a computer crime?
Evidence is deemed by the judge to be useful to reach a decision
Evidence is deemed by the law enforcement to be presented to a judge
Evidence the judge allows in the court of law per rules of the state
Any evidence an attorney thinks they can present to the judge or jurors
Evidence the judge allows in the court of law per rules of the state
At which stage of incident response are necessary adjustments or enhancements made to policies and procedures?
Analysis
Investigation
Tracking
Post-mortem
Triage
Recovery
Containment
Recovery.
Triage: The incident response team examines the incident to see what was affected and sets priorities
Investigation: Involves the collection of relevant data.
Containment: The damage is mitigated or contained.
Analysis: Where the root cause of the incident is discovered.
Tracking: The source ( user or device) of the incident is determined. Post-mortem review: Completed last as part of the incident response.
Recovery: Necessary adjustments or enhancements are made to policies and procedures.
Which of the following steps in the life cycle of evidence comes last?
Collect
Store
Return
Analyze
Present
Return.
- Collect evidence from the site.
- Analyze the evidence using a team of experts.
- Store the evidence in a secure place to ensure that the evidence is not tampered with.
- Present the evidence in a court of law.
- Return the evidence to the owner after the proceedings are over.
What type of control is separation of duties and responsibilities, which is valuable in deterring fraud by ensuring that no single individual can compromise a system?
Preventive administrative control
Technological user control
Logical and technical control
Administrative human control
Preventive administrative control
In which phase of embedded device analysis will the investigator extract the artifacts from the original media and then organize them on CD-ROM or DVD-ROM?
Preservation
Collection
Analysis
Presentation
Presentation.
Collection: Artifacts considered to be of evidentiary value (digital data in the form of disk drives, flash memory drives, or other forms of digital media) are identified and collected.
Preservation: Focuses on preserving original artifacts in a way that is reliable, complete, accurate, and verifiable. Cryptographic hashing, checksums, and documentation are all key components of the preservation phase.
Analysis or Filtering: Investigators will attempt to filter out data, which is determined not to contain any artifacts of evidentiary value.
Presentation: Potential artifacts of evidentiary value are presented normally starting with the investigator extracting the artifacts from the original media and then staging and organizing them on CD-ROM or DVD-ROM.
Which step in the investigative process includes data reduction?
Preservation
Collection
Examination
Identification
Collection
Identification: Includes event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis
Preservation: Includes imaging technologies, chain of custody standards, and time synchronization
Collection: Includes approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques
Examination: Includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction
When an organization evaluates information to identify vulnerabilities, threats, and issues related to risk, it has applied which security principle?
Due diligence
Due care
Job rotation
Separation of duties
Due diligence
Which type of BCP testing is most accurate?
Simulation test
Structured walk-through test
Checklist test
Table-top exercise
Structured walk-through test
Which electronic backup method copies files as modifications occur in real time?
Tape vaulting
Electronic vaulting
Synchronous replication
Asynchronous replication
Electronic vaulting
What is it known as when two internal departments of a company agree to support each other and respond to problems within a reasonable timeframe while providing required service to each other?
Service level agreement
Branch level agreement
Internal agreement
Administrative agreement
Service level agreement
Which stage of incident response involves the collection of relevant data?
Analysis
Investigation
Tracking
Post-mortem
Triage
Recovery
Containment
Investigation.
Triage: The incident response team examines the incident to see what was affected and sets priorities
Investigation: Involves the collection of relevant data.
Containment: The damage is mitigated or contained.
Analysis: Where the root cause of the incident is discovered.
Tracking: The source ( user or device) of the incident is determined.
Post-mortem review: Completed last as part of the incident response.
Recovery: Necessary adjustments or enhancements are made to policies and procedures.
Which of the following types of evidence should be collected second in an investigation of a computer crime?
Memory contents
Raw disk blocks
Swap files
File system information
Network processes
System processes
Swap files
What type of evidence does not require any corroboration?
Secondary evidence
Best evidence
Conclusive evidence
Hearsay evidence
Hearsay evidence
Which of the following is an isolated area that is used by trusted processes?
Protection domain
Trusted path
Security kernel
Execution domain
Execution domain
Which step in the investigative process includes chain of custody standards?
Preservation
Collection
Examination
Identification
Preservation
What type of evidence is not adequate to implicate a suspect but can complement the primary evidence?
Secondary evidence
Corroborative evidence
Circumstantial evidence
Hearsay evidence
Corroborative evidence
At which stage of incident response is the source of the incident determined?
Analysis
Investigation
Tracking
Post-mortem
Triage
Recovery
Containment
Tracking.
Triage: The incident response team examines the incident to see what was affected and sets priorities
Investigation: Involves the collection of relevant data.
Containment: The damage is mitigated or contained.
Analysis: Where the root cause of the incident is discovered.
Tracking: The source ( user or device) of the incident is determined.
Post-mortem review: Completed last as part of the incident response.
Recovery: Necessary adjustments or enhancements are made to policies and procedures.
Directing the output of the forensic imaging software to which interface is recommended when performing forensic imaging?
SCSI
Ethernet
Bluetooth
802.11
SCSI
Which of the following arrangements for fault tolerance provide the least amount of protection contractually?
Warm site
Hot site
Reciprocal agreement
Cold site
Reciprocal agreement
