Book Review Questions Flashcards
Review questions provided in the Third Edition Study Guide Exam (242 cards)
1
Q
After running an nmap scan of the system, you recieve scan data that indicates the following three ports are open: 22/TCP; 443/TCP; 1521/TCP. What services commonly run on these ports?
A
SSH, HTTPS, Oracle
2
Q
What type of system allows attackers to believe they have succeeded with their attack, thus providing defenders with information about their attack methods and tools?
A
Honeypot
3
Q
What cybersecurity objective could be achieved by running your organization’s web servers in redundant, geographically separate datacentres?
A
Availability
4
Q
Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?
A
Authenticated
5
Q
Security researchers recently discovered a flaw in the Chakra JavaScript scripting engine in Microsoft’s Edge browser that could allow remote execution or denial of service via a specifically crafted webiste. The CVSS 3.1 score for this vulnerability reads: CVSS: 3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H what is the attack vector and the impact to integrity based on this rating?
A
Network, High
6
Q
Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this?
A
Verify that it is a false positive, and then document the exception.
7
Q
Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action?
A
Containment, Eradication, and Recovery
8
Q
Which of the following descriptions explains an integrity loss?
A
Sensitive or proprietary information was changed or deleted
9
Q
Hui’s incident response program uses metrics to determine if their subscription to and use of IoC feeds is meeting the organization’s requirements. Which of the following incident response metrics is most useful if Hui wants to assess their use of IoC feeds?
A
Mean time to detect metrics
10
Q
Abdul’s monitoring detects regular traffic sent from a system that is suspected to be comprimised and participating in a botnet to a set of remote IP addresses. What is it called?
A
Beaconing
11
Q
What industry standard is used to describe risk scores?
A
CVSS
12
Q
What term is used to describe the retention of data and information related to pending or active litigation?
A
Legal hold
13
Q
During a forensic investigation Maria discovers evidence that a crime has been committed. What do organizations typically do to ensure that law enforcement can use data to prosecute a crime?
A
Document a chain of custody for the forensic data
14
Q
Oscar’s manager has asked him to ensure that a compromised system has been completely purged since the compromise. What is Oscar’s best course of action?
A
Wipe and rebuild the system
15
Q
Which of the following actions is not a common activity during the recovery phase of an incident response process
A
Reviewing accounts and adding new privilages
16
Q
A statement like “windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?
A
Standards
17
Q
A firewall is an example of what type of control?
A
Preventative
18
Q
Cathy wants to collect network based indicators of compromise as part of her security monitoring practice. Which of the following is not a common network related IoC?
A
Scheduled updates
19
Q
Nick wants to analyze a potentially malicious software package using an open source, locally hosted tool. Which of the following tools is best suited to his need if he wants to run the tool as part of the process?
A
Cuckoo sandbox
20
Q
which software development life cycle model uses linear development concepts in an iterative, four phase process?
A
Spiral
21
Q
Naomi wants to make her applications portable and easy to move to new environments without the overhead of a full operating system. What type of solution should she select?
A
Containerization
22
Q
Bharath wants to make changes to the Windows Registry. What tool should he select?
A
Regedit
23
Q
Tom wants to set an appropriate logging level for his Cisco networking equipment while he’s troubleshooting. What log level should he set?
A
7
24
Q
Which of the following is not a common use of network segmentation?
A
Reducing availability
25
Ric's organization wants to implement zero trust. What concern should Ric raise about zero trust implementations?
They can be complex to implement
26
Michele has a security token that her company issues to her. What type of authentication factor does she have?
Possession
27
Which party in a federated identity service model makes assertations about identities to service providers?
IDPs
28
Which design concept requires that each action requested be verified and validated before it is allowed to occur?
Zero Trust
29
Juan's organization uses LDAP to allow users to log into a variety of services without having to type in their username and password again. What type of service is in use?
SSO
30
Jen's organization wants to ensure that administrator credentials are not used improperly. What type of solution should Jen recommend to address this requirement?
PAM
31
Financial and medical records are an example of what type of data?
PII
32
Which of the following is not part of cardholder data for credit cards
The CVV
33
Sally wants to find configuration files for a windows system. Which of the following is not a common configuration file location
directory:\Windows\Temp
34
What type of factor is a PIN
a knowledge factor
35
What protocol is used to ensure that logs are time synchronized?
NTP
36
OAuth, OpenID, SAML, and AD FS are all examples of what type of technology?
Federation
37
Example Corporation has split their network into network zones that include sales, HR, research and development, and guest networks, each separated from others using network security devices. What concept is Example Corporation using for their network security?
Segmentation
38
During a penetration test of Anna's company, the penetration testers were able to compromise the company's web servers and deleted their log files, preventing analysis of their attacks. What compensating control is best suited to prevent this issue in the future?
Sending logs to a syslog server
39
Ben is preparing a system hardening procedure for his organization. Which of the following is not a typical system hardening process or step?
Enabling additional services
40
Gabby is designing a multifactor authentication system for her company. She has decided to use a passphrase, time based code generator, and a PIN to provide additional security. How many distinct factors will she have implemented once she is done?
Two
41
Which of the following Linux commands will show you how much disk space is in use?
DF
42
what windows tool provides detailed information, including information about USB host controllers, memory usage and disk transfers?
Perfmon
43
What type of network information should you capture to be able to provide a report about how much traffic systems in your network sent to remote systems ?
Flow data
44
Which of the following technologies is best suited to prevent wired rogue devices from connecting to a network?
NAC
45
As part of her job, Danielle sets an alarm to notify her team via email if her Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. What is this setting called?
A monitoring threshold
46
Chris is reviewing a file that is part of an exploit package. He notes that there is a file that has content with curly brackets ({}) around statements. What file type from the following list is he most likely reviewing?
JSON
47
What term describes a system sending heartbeat traffic to a botnet command and control server?
Beaconing
48
Cameron wants to check if a file matches a known good original. What technique can he use to do so?
Hash both the file and the original and compare the hashes
49
What can the MAC address of a rogue device tell you?
The manufacturer of the device
50
How can Jim most effectively locate a wireless rogue access point that is causing complaints from employees in his building?
Signal strength and triangulation
51
Which of the following tools does not provide real time drive capacity monitoring for Windows?
Microsoft Configuration Manager
52
One of the business managers in Geeta's organization reports that she recieved an email with a link that appeared to be a link to the organization's HR website, and that the website it went to when she clicked on it was very similar to the organization's website. Fortunately the manager noticed the URL was different than usual. What technique best describes a link that is disguised to appear legitimate?
Obfuscated link
53
Angela wants to review the syslog on a Linux system. What directory should she check to find it on most Linux distributions?
/var/log
54
Laura wants to review headers in an email that one of her staff is suspicious of. What should she not have that person do if she wants to preserve the headers?
She shouldn't have them forward the email to her.
55
Which of the following is a key differentiator between a SIEM and a SOAR?
A SOAR provides automated response capabilities
56
Which of the following options is not a valid way to check the status of a service in windows?
Use service --status at the command line
57
Avik has been asked to identify unexpected traffic on her organization's network. Which of the following is not a technique she should use
Beaconing
58
Sofia suspects that a system in her datacenter may be sending beaconing traffic to a remote system. Which of the following is not a useful tool to help verify her suspicions
SNMP
59
Susan wants to use an email security protocol to determine the authenticity of an email. Which of the following options will ensure that her organization's email server can determine if it should accept email from a sender
DMARC
60
Juan wants to see a list of processes along with their CPU utilization in an interactive format. What built in Linux tool should he use?
top
61
Which of the following measures is not commonly used to assess threat intelligence?
Detail
62
Nandita has encountered an attacker who appears to be using commonly available exploit package to attack her organization. The package seems to have been run with default configurations against her entire public facing internet presence from a single system. What type of threat actor is she most likely facing?
A script kiddie
63
Which of the following activities follows threat data analysis in the threat intelligence cycle
Threat Intelligence Dissemination
64
Susan wants to start performing intelligence gathering. Which of the following options is frequently conducted in the requirements gathering stage?
Review of security breaches or compromises your organization has faced.
65
What organizations did the US government help create to help share knowledge between organizations in specific verticals
ISACs
66
Which of the following threat actors typically has the greatest access to resources?
Nation state actors
67
Organizations like Anonymous which target governments and businesses for political reasons are examples of what type of threat actor?
Hacktivists
68
Jason gathers threat intelligence that tells him that an adversary his organization considers is a threat likes to use USB key drops to compromise their targets. What is this an example of?
A possible attack vector
69
What type of assessment is particularly useful for identifying insider threats
Behavioural
70
Felix wants to gather threat intelligence about an organized crime threat actor. Where is he most likely to find information published by the threat actor?
Dark web
71
which of the following is not a common indicator of compromise?
Administrative account log ins
72
Nick wants to analyze attacker tactics and techniques. What type of tool can he deploy to most effectively capture actual attack data for analysis?
Honeypot
73
Which of the following is not a common focus area for threat hunting activities?
Policies
74
What term describes an analysis of threat information that might include details such as whether it is confirmed by multiple independent sources or has been directly confirmed?
Confidence level
75
What drove the creation of ISACs in the United States?
Threat information sharing for infrastructure owners
76
How is threat intelligence sharing most frequently used for vulnerability management?
As part of vulnerability feeds for scanning systems
77
OpenIOC uses a base set of indicators of compromise originally created and provided by which security company?
Mandiant
78
Advanced persistent threats are most commonly associated with which type of threat actor?
Nation state actors
79
What are the two types of insider threats?
Intentional and unintentional
80
Forensic data is most often used for what type of threat assessment data?
IOCs
81
Megan wants to use the Metasploit Framework to conduct a web application vulnerability scan. What module from the following list is best suited to her needs?
wmap
82
What flag does nmap use to enable operating system identification?
-O
83
what command line tool can be used to determine the path that traffic takes to a remote system?
traceroute
84
Valerie wants to use a graphical interface to control nmap and wants to display her scans as a visual map to help her understand her target networks. What tool from the following list should she use?
Zenmap
85
Susan runs an nmap scan using the following command: nmap -O -pn 192.168.1.0/255 what information will she see about the hosts she scans?
Hostname, service ports, and operating system
86
Tuan wants to gather additional information about a domain that he has entered in Maltego. What functionality is used to perform server based actions in Maltego?
A transform
87
Laura wants to conduct a search for hosts using Recon-ng but wants to leverage a search engine with API access to acquire existing data. What module should she use?
recon/domains-hosts/shodan_hostname
88
After running an nmap scan Geoff sees ports 80 and 443 open on a system he scanned. What reasonable guess can he make about the system based on this result?
The system is running a web server
89
What information is used to identify network segments and topology when conducting an nmap scan?
Time to live
90
Murali wants to scan a network using nmap and has run a scan without any flags without discovering all of the hosts that he thinks should show. What scan flag can he use to scan without performing host discovery that will also determine if services are open on the systems?
-Pn
91
Jaime is using the Angry IP Scanner and notices that it supports multiple types of pings to identify hosts. Why might she choose to use a specific type of ping over others?
To bypass firewalls
92
Hue wants to perform network foot printing as part of reconnaissance effort. Which of the following tools is best suited to passive foot printing given a domain name as the starting point for her efforts?
Maltego
93
Jack wants to scan a system using the Angry IP Scanner. What information does he need to run the scan?
the system's IP address
94
Which of the following is not a reason that security professionals often perform packet capture while conducting port and vulnerability scanning?
to prevent external attacks
95
What process uses information such as the way that a system's TCP stack responds to queries, what TCP options it supports, and the initial window size it uses?
OS detection
96
Li wants to use Recon-ng to gather data from systems. Which of the following is not a common use for Recon-ng?
Conducting vulnerability scans of services
97
Jason wants to conduct a port scan using the Metasploit Framework. What tool can he use from the framework to do this?
Nmap
98
Sally wants to use operating system identification using nmap to determine what OS a device is running. Which of the following is not a datapoint used by nmap to identify operating systems?
TCP OS header
99
Chris wants to perform network based asset discovery. What limitation will he encounter if he relies on a port scanner to perform his discovery?
Firewalls can prevent port scanners from detecting systems.
100
Emily wants to gather open source intelligence and centralize it using an open source tool. Which of the following tools is best suited to managing the collection of data for her OSINT efforts?
Recon-ng
101
What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies?
FISMA
102
Which one of the following industry standards describes a standard approach for setting up an information security management system
ISO 27001
103
What tool can administrators use to help identify the systems present on a network prior to conducting vulnerability scans?
Asset inventory
104
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
Quarterly
105
Which of the following is not an example of a vulnerability scanning tool?
Snort
106
Bethany is the vulnerability management specialist for a large retail organization. She completed her last PCI DSS scan in March. In April, the organization upgraded their point of sale system, and Bethany is preparing to conduct new scans. When must she complete the new scan?
Immediately
107
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
Read only
108
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
CPE
109
Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans?
Any qualified individual
110
Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans?
Government Agency
111
Which one of the following organizations focuses on providing tools and advice for secure web application development
OWASP
112
What term describes an organizations willingness to tolerate risk in their computing environment?
Risk appetite
113
Which one of the following factors is least likely to impact vulnerability scanning schedules?
Staff availability
114
Barry placed all of his organization's credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan?
Systems on the isolated network
115
Ryan is planning to conduct a vulnerability scan of a business critical system using dangerous plugins. What would be the best approach for the initial scan?
Run the scan in a test environment.
116
Which one of the following activities is not part of the vulnerability management life cycle?
Reporting
117
What approach to vulnerability scanning incorperates information from agents running on the target servers?
Continuous monitoring
118
Kolin would like to use an automated web application vulnerability scanner to identify any potential security issues in an application that is about to be deployed in his environment. Which one of the following tools is least likely to meet his needs?
ZAP
119
Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task?
CVSS
120
Sarah would like to run an external vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans?
An approved scanning vendor.
121
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What technology is likely to use on this network that resulted in a vulnerability?
NAT
122
Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?
PR
123
Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit
low
124
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system?
H
125
What is the most recent version of CVSS that is currently available?
3.1
126
Which one of the following metrics is not included in the calculation of the CVSS exploitability score?
Vulnerability age
127
Keven recently identified a new software vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into?
Medium
128
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?
False positive
129
Which one of the following is not a common source of information that may be correlated with vulnerability scan results
database tables
130
which one of the following operating systems should be avoided on production networks
windows server 2008 R2
131
in what type of attack does the attacker place more information in a memory location than is allocated for that use?
Buffer overflow
132
The dirty cow attack is an example of what type of vulnerability
privilege escalation
133
which one of the following protocols should never be used on a public network
telnet
134
betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice
TLS 1.3
135
which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server
inclusion of a public encryption key
136
what type of attack depends on the fact that users are often logged into many websites simultaneously in the same browser
cross site request forgery
137
bonnie discovers entries in a web server log indicating that penetration testers attempted access the following url: www.mycompany.com/sortusers.php?file=C:\uploads\attack.exe what type of attack did they most likely attempt
local file inclusion
138
which one of the following terms is not typically used to describe the connection of physical devices to a network
IDS
139
monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site whih one of the followig attack types is most likely to have occured
cross site scripting
140
Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophies in queries from end users. What type of attack should he suspect?
SQL injections
141
Jen identified a missing patch on a windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective what has she done?
removed the vulnerability
142
You notice a high number of SQL injection attacks against a web application run by your organization and you install a web application firewall to block many of these attacks before they reach the server. how have you altered the severity of this risk
reduced the probability
143
Which one of the following is an example of a computer security incident
former employee crashes a server
144
during which phase of the incident response process would an organization implement defenses designed to reduce the liklihood of a security incident
preparation
145
alan is responsible for developing his organization's detection and alaysis capabilities. He would like to purchase a system that can combine log records from multiple sources to detect potential security incidents. what type of system is best suited to meet alan's security objective
SIEM
146
ben is working to classify the fuctional impact of an incident. the incident has disabled email service for approx 30 percent of his organizations staff. how should ben classify the functional impact of this incident according to the nIST scale
Medium
147
what phase of the inident response process would include measures designed to limit damage caused by an ongoing breach
containment eradication recovery
148
what common criticism is leveled at the cyber kill chain
it includes actions outside the defended network
149
karen is responding to a security incident that resulted from an intruder stealing files from a voernment agency those files contained unencrypted information about protected critical infrastructure how should karen rate the imformation impact of the loss
prprietary breach
150
matt is concerned about the fact that log records from his organization contain conflicting time stamps due to unsynchronized clocks. what protocol can he use to synchronize clocks throughout the enterprise
NTP
151
which one of the following document types would outline the authority of a csirt response to a security incident
policy
152
a cross site scripting attack is an example of what type of threat vector
web
153
what phase of the cyber kill chain includes creation of persisitent back door access for attackers
installation
154
Robert is finishing a draft of a proposed incident response policy for his organization who would be the most approrpiate person to sign the policy
CEO
155
which one of the following is not an ovjectibe of containment readication and recovery phase of the incident response
detect an incident in progress
156
renee is responding to a security incident that resulted in the unavialablity of a website critical to her companys operations she is unsure of the amount of time and effort that it will take to recover the website how should renee classify the recoverability effort
extended
157
which one of the following is an example of an attrition attack
brute force password attack
158
who is the best facioitartor for a post inicident lessons learned session
independent facilitator
159
which one of the following elements is not normally found in an incident response policy
procedures for rebuilding systems
160
an on path attack is an example of what type of threat vector
impersonation
161
tommy is the csirt team leader for his organzition and is responding to a newly discovered security incident what document is most likely to contain step by step instructions that he might follow in the early hours of the response effort
play book
162
hank is responding to a security event where the ceo of his company had her laptop stolen the laptop was encrypted but cotained sensitive information about the companys employees how should hank classify the information impact of this security event non
none
163
Susan needs to track evidence that has been obtained throughout its life cycle what documentation does she need to create and maintain if she expects the evidence to be used in a legal case
chain of custody
164
hui wants to comply with a legal hold but nows that her organization has a regular process that purges logs after 45 days due to space limitations what should she do if logs are covered by the legal hold
identify preservation method to comply with the hold
165
juan wants to validate the integrity of a drive that he has forensically imaged as part of an incident response process. which of the options should he select
compare a hash of the original drive to the drive image
166
kathleen wants to determine if the traffic she is seeing is unusual for her network which of the following options would be the most useful to determine if traffic levels are not typical for this time of day in a normal week
baselines
167
renee wants to adopt an open IOC feed what issue is renee muost likely to need to address when adopting it
the quality of the feed
168
Chris wants to use an active monitoring approach to test his network which of the following techniques is appropriate
pinging remote systems
169
which of the following is not information commonly found in an IOC
system images
170
cameron wants to be able to detect a denial of service attack against his web server whcih of the following tools should he avoid
iPerf
171
sameer finds log information that indicates that a process that he believes is malicious starts at the same time every day on a linux system where should he start looking for an issue like this
he should chek cron jobs
172
jim uses an IOC feed to help detect new attacks against his organization what should he do first if his security monitoring system flags a match for an IOC
review the alert to determiine why it occured
173
while monitoring network traffic to his web server cluster mark noticies a significant increase in traffic he checks the source addresses for inbound traffic and finds that the traffic is coming from many different systems all over the world what should mark identify this as if he believes it is an attack
a distributed denial of service attack
174
valenitine wants to check for unauthorized access to a system what two log types are most likely to cotain this information
authentication logs and user creation logs
175
Sayed notices that a remote system has attempted to log into a system he is resoponsible for multiple times using the same admin user ID but differenet passwords. what has Sayed most likely discovered
Brute force attack
176
while susan is monitoring a router via network flows she sees a sudden drop in network traffic levels to zero and the traffic chart shows a flat line what has likely happened
the monitored link has failed
177
leo wants to monitor his application for common issues which of the following is not a typical method of monitoring for application issues
system logging
178
greg notices that a user account on a linux server he is responsible for has connected to 10 machines via SSH within seconds what type of IOC best matches this type of behaviour
bot like behavior
179
Arun wants to monitor for unusual database usage whcih of the following is most likely to be indicitive of a malicious actor
increases in disk reads for the database
180
valarie is concerned that an attacker may have gained access to a systm in her datacenter which of the following behavious is not a common network based IOC that she should monitor for
Increaseds in system memory consumption
181
Alex has noticed that the primary disk for his windows server is quickly filling up what should he do to determine what is filling up the drie
search for large files and directories
182
joseph wants to be notified if user behaviours vary from normal on systems he maintains he uses a tool to caputre and analyze a week of user behaviour and uses that to determine if unuusual behavious occur what is this practice called
baselining
183
Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause
containment eradication recovery
184
which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy
log records generated by strategy
185
alice is responding to a cybersecurity incident and notices a system that she suspects is comprimised she places the system on a quarantine vlan with limited access to other networked systems what containment strategy is alice pursuring
segmentation
186
alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and chooses instead to prevent the quarentine vlan from accessing any other systems by putting up firewall rules in place that limit access to other enterprise systems. the attacker can still control the system to allow alice to continue monitoring the incident what strategy is she now pursuing
isolation
187
after observing the attacker alice decides to remove the internet connection entirely leaving the systems running but inaccessible from outside the quartentine vlan. what strategy is she now pursuing
removal
188
which one of the following tools may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts
sandbox
189
tamara is a cybersecurity analyst for a private business that is suffering a security breach. she believes the attackers have compromised a database containing sensitive information. which one of the following activities should be tamaras first priority
containment
190
what should be clearly identified during a lessons learned review in order to reduce the liklihood of a similar incident escaping attention in the future
IOCs
191
Which one of the following pieces of information is most critical to conducting a solid incident recovery effort
root cause of the attack
192
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cyber security incident. the information is categorized as high security risk and she wishes to reuse the media during a future incident what is the approrpriate disposition for this information
purge
193
which one of the following activities is not normally conducted during the recovery validation phase
implement new firewall rules
194
what incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network
eradication
195
which one of the following is not a common use of formal incident reports
sharing with other organizations
196
which one of the following data elements would not normally be included in an evidence log
malware signatures
197
sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure the attacker cannot delete those files which one of the following strategies would meet Sondras goals
None of the above
198
joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. he does not need to reuse the drive but wants to return it to the owner an outside contractor what is the appropriate disposition
destroy
199
which one of the following is not typically found in a cybersecurity incident report
identity of the hacker
200
what NIST publication contains guidence on cybersecurtiy incident handling
SP 800-61
201
which one of the following is not a purging activity
resetting to a factory state
202
ben is responding to a security incident and determines that the attacker is using systems on ben's network to attack a third party which one of the following containment approaches will prevent ben's systems from being used in this manner
removal
203
why should organizations predetermine communication guidelines according to NIST
to ensure that appropriate communications are shared with the right parties
204
Valentine is preparing a vulnerability management report. What data point will provide the greatest help in determining if patching programs are not succeeding?
information about recurrence
205
Jake wants to identify stakeholders for vulnerability management communications. Which stakeholder group is most likely to want information to be available via an API instead of written communication?
security operations and oversight stakeholders
206
what phase of the NIST IR cycle does communication to stakeholders occur in?
All cycles include communication with stakeholders
207
Which of the following potential incident response metrics is least useful in understanding the organization's ability to respond to incidents
alert volume
208
why might a service level agreement cause an organization to delay patching
to meet performance targets defined by the SLA
209
Ian wants to ensure that patches are installed as part of a baseline for his organization. what type of tool should he invest in as part of his overall action plan for remediation
a configuration management tool or system
210
Sally is preparing an incident response report what part of the report is intended to help organizations understand the outcome of the incident and financial reputational or other damages
the impact assessment
211
Jamie is concerned that her organization may face multiple inhibitors to remediation. Which of the following inhibitors to remediation is most often associated with performance or uptime targets
memorandums of understanding
212
Selah wants to include sections of relevant logs in her incident report what report section most frequently includes logs
as evidence in the appendix
213
Danielle has completed her incident report and wants to ensure that her organization benefits from the process. what exercise is most frequently conducted after the report to improve future IR processes
A lessons learned exercise
214
What phase of the IR cycle does media training typically occur in
Preparation
215
Michele is performing root cause analysis which of the following is not one of the four common steps in an RCA exercise
Determining which individual or team was responsible for the problem
216
The organization that charles works for has experienced a significant incident. which of the following is most likely to require the organization to report the incident in a specific timeframe
Regulatory compliance
217
After testing, Jim's team has determined that installing a patch will result in degraded functionality due to a service being modified. what should Jim suggest to address this inhibitor to remediation
Identify a compensating control
218
Which of the following is not a NIST-recommended practice to help with media communication procedures
Avoiding media contact throughout the IR process
219
An incident report is typically prepared in what phase of the NIST incident response cycle
Post Incident Activity
220
The security team that Chris works on has been notified of a zero day vulnerability in Windows Server that was released earlier in the morning. Chris's manager asks Chris to immediately check recent vulnerability reports to determine if the organization is impacted. What should Chris tell his manager?
Zero day vulnerabilities wont show in previously run vulnerability management reports
221
Mikayla's organization has identified an ongoing problem based on their vulnerability management dashboard reports. Trends indicate that patching is not occurring in a timely manner, and that patches are not being installed for some of the most critical vulnerabilities. What should Mikayla do if she believes that system administrators are not prioritizing patching?
Engage in awareness, education, and training activities
222
Geeta's organization operates a critical system provided by a vendor that specifies that the operating system cannot be patched. What type of solution should Geeta recommend when her vulnerability reporting shows the system is behind on patching and has critical vulnerabilities?
Identify and deploy a compensating control
223
Which format does dd produce files in while disk imaging
RAW
224
Gurvinder has completed his root cause analysis and wants to use it to avoid future problems. What should he document next?
Lessons learned
225
Mike is conducting a root cause analysis Which of the following is not a typical phase in the root cause analysis process?
Performing a risk analysis
226
Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen during her data acquisition process
A write blocker
227
Fredericks organization has been informed that data must be preserved due to pending legal action. What is this type of requirement called?
A legal hold
228
What process is often performed as part of incident response forensic analysis?
Root cause analysis
229
Jeff is investigating a system compromise and knows that the first event was reported on October 5. What forensic tool capability should he use to map other events found in logs and files to this date?
A timeline
230
During her forensic copy validation process Daneille hashed the original cloned the image. files and recieved the following MD5 sums. What is likely wrong?
an unknown change or problem occured
231
Jennifer wants to perform memory analysis and forensices for windows, MacOS and Linux systems. Which of the following is suited to her needs?
The Volatility Framework
232
As part of her review of a forensic process Lisa is reviewing a log that lists each time a person handled a forensic image. She notices that an entry lists forensic analysis actions but does not have a name logged. What concept does this violate?
Chain of custody
233
Why is validating data integrity critical to forensic processes?
It ensures the system has not been altered by the forensic examiner
234
Carl does not have the ability to capture data from a cell phone using mobile forensic or imaging software and the phone does not have removable storage. Fortunately the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there?
Manual access
235
What forensic issue might the presence of a program like CCleaner indicate
Antiforensic activities
236
Which of the following is not a potential issue with live imaging of a system
Unallocated space will be captured
237
During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue that Jeff could encounter if the case goes to court and his procedures are questioned?
Inability to certify chain of custody
238
Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. what process should he use to have the best change of viewing that data in an unencrypted form?
Live imaging
239
Susan needs to caputre network traffic from a linux server that does not use a GUI. What packet capture utility is found on many Linux systems and works from the command line?
tcpdump
240
During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing?
Maintaining chain of custody
241
Which tool is not commonly used to generate the hash of a forensic copy?
AES
242
Which of the following issues makes both could and virtualized environments more difficult to perform forensics on?
Systems may be ephemeral
