Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Advanced Information Security > Chapter 12 > Flashcards

Chapter 12 Flashcards

1
Q

During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?

See who is connected to the access point and attempt to find the attacker.

Run a packet sniffer to monitor traffic to and from the access point.

Disconnect the access point from the network.

Connect to the access point and examine its logs for information.

A

Disconnect the access point from the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?

Stop all running processes.

Turn off the system.

Remove the hard drive.

Document what is on the screen.

A

Document what is on the screen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?

Stop all running processes.

Turn off the system.

Remove the hard drive.

Document what is on the screen.

A

Document what is on the screen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the best definition of a security incident?

Interruption of productivity

Compromise of the CIA

Criminal activity

Violation of a security policy

A

Violation of a security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the purpose of audit trails?

To detect security-violating events.

To correct system problems.

To prevent security breaches.

To restore systems to normal operations.

A

To detect security-violating events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next?

Deploy new countermeasures.

Back up all logs and audits regarding the incident.

Restore and repair any damage.

Update the security policy.

A

Back up all logs and audits regarding the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is an important aspect of evidence-gathering?

Restore damaged data from backup media.

Monitor user access to compromised systems.

Back up all log files and audit trails.

Purge transaction logs.

A

Back up all log files and audit trails.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it?

Mitre Att@ck

Diamond Model of Intrusion Analysis

Cyber Kill Chain

Communication plan with stakeholders

A

Mitre Att@ck

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

As a security analyst, you have discovered the victims of an malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims? (Select two.)

Disaster recovery plan

Mitre Att@cks

Cyber Kill Chain

Implement appropriate stakeholder management

Diamond Model of Intrusion Analysis

A

Mitre Att@cks

Diamond Model of Intrusion Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management. Which of the following documents should you create for this purpose?

Disaster recovery plan

Incident-response team charter

Business continuity plan

Communication plan

A

Business continuity plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your browser has blocked your from your crucial secure intranet sites. What could be the problem?

You are using HTTP instead of HTTPS.

Your SSL certificate status has been revoked.

You misconfigured a content filter.

The firewall administrator set up a rule that blocked the users.

A

Your SSL certificate status has been revoked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You would like to make sure users are not accessing inappropriate content online at work. Which endpoint security strategy would you employ?

Content filtering
URL filters
Firewall rules
Mobile device management (MDM)

A

Content filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You want to allow RDP 3389 traffic into your network for a group of users to access a particular workstation that has a special application in your office. Which endpoint security tool would you use to make this happen?

URL filters
Firewall rules
Data monitoring apps
Content filters

A

Firewall rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You need to remotely wipe an android phone for one of your rogue users. Which endpoint tool would you use?

Mobile application management (MAM)
Quarantining
MAM-WE
Mobile device management (MDM)

A

Mobile device management (MDM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

This application endpoint-protection rule implicitly denies unless added to the rule. Which of the following processes describes this?

Content filtering
Blacklisting
Quarantining
Whitelisting

A

Whitelisting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You would like to enhance your incident-response process and automate as much of it as possible. Which of the following elements would you need to include? (Select two.)

Blacklisting
Runbooks
Quarantining
Whitelisting
Playbooks

A

Runbooks
Playbooks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You have detected and identified a security event. What’s the first step you should complete?

Containment
Segmentation
Isolation
Playbook

A

Containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You need to limit a compromised application from causing harm to other assets in your network. Which strategy should you employ?

SOAR
Isolation
Segmentation
Containment

A

Isolation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You need to limit the impact of a security breach for a particular file server with sensitive company data. Which strategy would you employ?

Containment
Isolation
Segmentation
SOAR

A

Segmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use?

SOAR
MDM
GDPR
MAM

A

SOAR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following components are the SIEM’s way of letting the IT team know that a pre-established parameter is not within the acceptable range?

Dashboard
Trends
Sensors
Alerts

A

Alerts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis?

Security log
Network log
Firewall log
Application log

A

Application log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You suspect cache poisoning or spoofing has occurred on your network. Users are complaining of strange web results and being redirected to undesirable sites. Which log would help you determine what is going on?

Application logs
Security logs
DNS logs
Network logs

A

DNS logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

You suspect a bad video driver is causing a user’s system to randomly crash and reboot. Where would you go to identify and confirm your suspicions?

Application logs
SIP logs
Dump files
Syslog

A

Dump files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following is a standard for sending log messages to a central logging server?

Syslog
OVAL
Nmap
LC4

A

Syslog

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

You are concerned that an attacker can gain access to your web server, make modifications to the system, and alter the log files to hide his or her actions. Which of the following actions would best protect the log files?

Use syslog to send log entries to another server.

Configure permissions on the log files to prevent access.

Take a hash of the log files.

Encrypt the log files.

A

Use syslog to send log entries to another server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Over the past few days, a server has gone offline and rebooted automatically several times. You would like to see a record of when each of these restarts has occurred.

Which log type should you check?

Security
System
Performance
Firewall

A

System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which log file type is one of the most tedious to parse but can tell you exactly when users log onto your site and what their location is?

Web server logs
System logs
Event logs
Authentication logs

A

Web server logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

You would like to get a feel for the amount of bandwidth you are using in your network. What is the first thing you should do?

Create data points.
Choose a protocol.
Set intervals.
Establish a baseline.

A

Establish a baseline.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

You are worried about email spoofing. What can be put throughout an email’s header that provides the originating email account or IP address and not a spoofed one?

Timestamp
Data points
Metadata
X-headers

A

X-headers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which two types of service accounts must you use to set up event subscriptions?

Local event administrators account

Collector computer account

Network server machine account

Default machine account

Specific user service account

A

Default machine account

Specific user service account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

By default, events received from the source computers in Event Subscription are saved in which log?

Application log
Forwarded Events log
Security log
System log

A

Forwarded Events log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

You set up Event Subscription, but you are getting an overwhelming amount of events recorded. What should you do?

Use the Runtime Status link
Define a filter
Choose the correct subscription type
Use the default machine account

A

Define a filter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following are required to configure Event Subscription for event forwarding? (Select three.)

Start Windows Event Collector service on collector computer.

Give the subscription a name.

Start Windows Remote Management service on both the source and collector computers.

Configure the destination log.

Configure Runtime Status.

Create a Windows firewall exception for HTTP or HTTPS on all source computers.

Create a filter.

A

Start Windows Event Collector service on collector computer.

Start Windows Remote Management service on both the source and collector computers.

Create a Windows firewall exception for HTTP or HTTPS on all source computers.

35
Q

You are configuring a source-initiated subscription on the collector computer in Event Viewer. Which of the following do you need to specify?

Computer
Content filter
System log
Computer group

A

Computer group

36
Q

For some reason, your source computers are not communicating properly with the collector. Which tool would you use to verify communications?

Run winrm qc -q
Runtime Status
Event Viewer System log
Run wecutil qc

A

Runtime Status

37
Q

For source-initiated subscriptions, which tool do you use to configure event forwarding?

Filter settings
Group Policy
Service account
Event Viewer

A

Group Policy

38
Q

You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ?

HTTP or HTTPS
Event forwarding
Source-initiated
Collector-initiated

A

Source-initiated

39
Q

You want to set up a collector-initiated environment for event subscriptions. Which commands would you run? (Select two.)

Run wecutil qc /q on the source computer

Run winrm qc -q on the source computer.

Run wecutil qc on the collector computer.

Run winrm qc /q on the collector computer.

Run wecutil qc on the source computer

Run winrm qc -q on the collector computer.

A

Run winrm qc -q on the source computer.

Run wecutil qc on the collector computer.

40
Q

You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription?

Event Viewer
Computer Management
Device Manager
Local Group Policy

A

Event Viewer

41
Q

What is the most important element related to evidence in addition to the evidence itself?

Completeness
Witness testimony
Chain of custody document
Photographs of the crime scene

A

Chain of custody document

42
Q

The chain of custody is used for which purpose?

Listing people coming into contact with the evidence

Retaining evidence integrity

Identifying the owner of the evidence

Detailing the timeline between creation and discovery of evidence

A

Listing people coming into contact with the evidence

43
Q

You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this?

Rules of evidence
CPS (certificate practice statement)
Chain of custody
FIPS-140

A

Chain of custody

44
Q

How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?

Write a log file to the media

Enable write protection

Create a checksum using a hashing algorithm

Reset the file attributes on the media to read-only

A

Create a checksum using a hashing algorithm

45
Q

As a security analyst, you are configuring your environment to be able to properly gather digital forensic information. Which of the following must be set up to help create a timeline of events?

Create a solid chain of custody that proves that no evidence-tampering has occurred.

Create tags for all your IT assets so that they are easily identifiable and trackable.

Make sure all client computers have their time set accurately by a time server.

Create a report template that helps you describe the incident, how the evidence was analyzed, and the conclusions you came to.

A

Make sure all client computers have their time set accurately by a time server.

46
Q

You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you use them in the future?

Encrypt the logs.

Create a hash of each log.

Make two copies of each log and store each copy in a different location.

Store the logs in an offsite facility.

A

Create a hash of each log.

47
Q

What does the hashing of log files provide?

Prevention of log files being altered or overwritten

Proof that the files have not been altered

Sequencing of files and log entries to recreate a timeline of events

Prevention of the system running when the log files are full

Confidentiality to prevent unauthorized reading of the files

A

Proof that the files have not been altered

48
Q

Which method can you use to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence?

Photographs
File directory listing
Serial number notation
Hashing

A

Hashing

49
Q

Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You’d also like to get printed, physical copies of documents. Which tool would you use to gather this information?

Legal hold
Timestamps
Timeline of events
Chain of custody

A

Legal hold

50
Q

A forensic investigator gathers potential evidence from many software, hardware, and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of said data.

Place the following items in the correct order of volatility in the gathering of potential evidence. (1-5)

Swap/page file
RAM
Remote logs
Hard Drive
Archived data

A
  1. RAM
  2. Swap/page file
  3. Hard drive
  4. Remote logs
  5. Archived data
51
Q

You need to find the text string New Haven in 100 documents in a folder structure on a Linux server. Which command would you use?

grep
tail
head
chmod

A

grep

52
Q

You would like to add some entries into the system log file. Which command would you use?

cat
logger
grep
chmod

A

logger

53
Q

You would like to see only the last 15 lines of /home/user/logfile on your Linux machine. Which command line interface (CLI) command would you use?

head -n 15 /home/user/logfile
tail -n 15 /home/user/logfile
tail -f /home/user/logfile
cat -n 15 /home/user/logfile

A

tail -n 15 /home/user/logfile

54
Q

A conditional statement that selects the statements to run depending on whether an expression is true or false is known as which of the following?

If else statement
If statement
Else statement
Else if statement

A

If else statement

55
Q

Which of the following BEST describes a constant?

A sequence of characters.

A group of related data values or elements.

A named unit of data that is assigned a value.

Data or a value that does not change.

A

Data or a value that does not change.

56
Q

!= or <> refers to Not Equal in which scripting language?

PowerShell
Bash
Python
PuTTY

A

Python

57
Q

Which of the following BEST describes PuTTy?

A mechanism that allows you to interact with the operating system directly.

Open-source software that is developed and supported by a group of volunteers.

A method that provides an encryption standard that’s widely used by internet websites.

A programming language for a special runtime environment that automates the execution of tasks.

A

Open-source software that is developed and supported by a group of volunteers.

58
Q

Match each network sniffing method with the correct definition.

MAC spoofing

-Allows an attacker’s computer to connect to a switch using an authorized MAC address.

-The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.

-The MAC address of the attacker can be associated with the IP address of another host.

-Creates a duplicate of all network traffic on a port and sends it to another device.

A

Allows an attacker’s computer to connect to a switch using an authorized MAC address.

59
Q

Match each network sniffing method with the correct definition.

Port mirroring

-Allows an attacker’s computer to connect to a switch using an authorized MAC address.

-The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.

-The MAC address of the attacker can be associated with the IP address of another host.

-Creates a duplicate of all network traffic on a port and sends it to another device.

A

Creates a duplicate of all network traffic on a port and sends it to another device.

60
Q

Match each network sniffing method with the correct definition.

ARP poisoning

-Allows an attacker’s computer to connect to a switch using an authorized MAC address.

-The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.

-The MAC address of the attacker can be associated with the IP address of another host.

-Creates a duplicate of all network traffic on a port and sends it to another device.

A

The MAC address of the attacker can be associated with the IP address of another host.

61
Q

Match each network sniffing method with the correct definition.

MAC flooding

-Allows an attacker’s computer to connect to a switch using an authorized MAC address.

-The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.

-The MAC address of the attacker can be associated with the IP address of another host.

-Creates a duplicate of all network traffic on a port and sends it to another device.

A

The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.

62
Q

For some reason, when you capture packets as part of your monitoring, you aren’t seeing much traffic. What could be the reason?

You have multiple MAC addresses associated with one NIC.

Your NIC is set to broadcasting instead of receiving.

You forgot to turn on promiscuous mode for the network interface.

Your machine is set to only capture HTTP packets.

A

You forgot to turn on promiscuous mode for the network interface.

63
Q

You would like to simulate an attack on your network so you can test defense equipment and discover vulnerabilities in order to mitigate risk. Which tool would you use to simulate all the packets of an attack?

Etherflood
Wireshark
TCPDump
TCPReplay

A

TCPReplay

64
Q

Which of the following is a recovery site that may have electricity connected, but there are no servers installed and no high-speed data lines present?

Hot site
Reciprocal agreement
Warm site
Cold site

A

Cold site

65
Q

To prevent server downtime, which of the following components should be installed redundantly in a server system?

Power supply
CD or DVD drive
RAM modules
Floppy disk drive

A

Power supply

66
Q

You have been asked to deploy a network solution that includes an alternate location where operational recovery is provided within minutes of a disaster. Which of the following strategies would you choose?

Cold site
Warm site
Hot site
Hot spare

A

Hot site

67
Q

What is the primary security feature that can be designed into a network’s infrastructure to protect and support availability?

Switches instead of hubs
Periodic backups
Fiber optic cables
Redundancy

A

Redundancy

68
Q

Daily backups are completed at the ABD company location, and only a weekly backup is maintained at another network location. Which of the following disaster recovery strategies is ABD using?

Cold site
Hot spare
Warm site
Hot site

A

Warm site

69
Q

Which of the following disk configurations might sustain losing two disks? (Select two.)

RAID 1
RAID 1+0
RAID 0+1
RAID 5
RAID 0

A

RAID 1+0
RAID 0+1

70
Q

You have a computer with three hard disks. A RAID 0 volume uses space on Disk 1 and Disk 2. A RAID 1 volume uses space on Disk 2 and Disk 3.

Disk 2 fails. Which of the following is true?

Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not.

Data on the RAID 0 volume is accessible; data on the RAID 1 volume is not.

Data on both volumes is not accessible.

Data on both volumes is still accessible.

A

Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not.

71
Q

Which of the following drive configurations is fault tolerant?

RAID 0
RAID 5
Disk striping
Expanded volume set

A

RAID 5

72
Q

You have been asked to implement a RAID 5 solution for your network. What is the minimum number of hard disks that can be used to configure RAID 5?

2
3
4
5
6

A

3

73
Q

Which of the following network strategies connects multiple servers together so that if one server fails, the others immediately take over its tasks, preventing a disruption in service?

Clustering
Adapter bonding
Storage Area Networks (SANs)
Mirroring

A

Clustering

74
Q

A system failure has occurred. Which of the following restoration processes would result in the fastest restoration of all data to its most current state?

Restore the full backup and all differential backups

Restore the full backup and all incremental backups

Restore the full backup and the last incremental backup

Restore the full backup and the last differential backup

A

Restore the full backup and the last differential backup

75
Q

Your disaster recovery plan calls for backup media to be stored at a different location. The location is a safe deposit box at the local bank. Because of this, the disaster recovery plan specifies that you choose a method that uses the least amount of backup media, but also allows you to quickly back up and restore files.

Which backup strategy would BEST meet the disaster recovery plan?

Perform a full backup each day of the week.

Perform a full backup once per week and an incremental backup the other days of the week.

Perform a full backup once per year and a differential backup for the rest of the days in the year.

Perform a full backup once per month and an incremental backup the other days of the month.

Perform a full backup once per week and a differential backup the other days of the week.

A

Perform a full backup once per week and a differential backup the other days of the week.

76
Q

Your network uses the following backup strategy:

Full backups every Sunday night

Differential backups Monday night through Saturday night

On Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?

1
2
3
4
5

A

2

77
Q

Which backup strategy backs up all files from a computer’s file system, regardless of whether the file’s archive bit is set or not, and then marks them as backed up?

Full
Copy
Differential
Incremental

A

Full

78
Q

Your network performs a full backup every night. Each Sunday, the previous night’s backup tape is archived.

On a Wednesday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?

1
2
3
4
5
6

A

1

79
Q

Which of the following describes a system image backup? (Select two.)

A system image only contains the operating system, installed programs, drivers, and user profile settings.

A system image does not include operating system files, program files, encrypted files, files in the Recycle Bin, user profile settings, or temporary files.

A system image includes only specified files and folders backed up to a compressed file.

A system image backup consists of an entire volume backed up to .vhd files.

A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files.

A

A system image backup consists of an entire volume backed up to .vhd files.

A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files.

80
Q

Which of the following are backed up during an incremental backup?

Only files that have changed since the last full or differential backup.

Only files that have changed since the last full backup.

Only files that are new since the last full or incremental backup.

Only files that have changed since the last full or incremental backup.

A

Only files that have changed since the last full or incremental backup.

81
Q

Which of the following is true of an incremental backup’s process?

Backs up all files regardless of the archive bit and resets the archive bit.

Backs up all files with the archive bit set and does not reset the archive bit.

Backs up all files with the archive bit set and resets the archive bit.

Backs up all files regardless of the archive bit and does not reset the archive bit.

A

Backs up all files with the archive bit set and resets the archive bit.

82
Q

Your network uses the following backup strategy:

Full backups every Sunday night

Incremental backups Monday night through Saturday night

On a Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?

1
2
3
4
5

A

4

83
Q

Why should backup media be stored offsite?

To reduce the possibility of theft

To prevent the same disaster from affecting both the network and the backup media

To comply with government regulation

To improve the efficiency of the restoration process

A

To prevent the same disaster from affecting both the network and the backup media

Advanced Information Security (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions