Chapter 12 Flashcards by W R

During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?

See who is connected to the access point and attempt to find the attacker.

Run a packet sniffer to monitor traffic to and from the access point.

Disconnect the access point from the network.

Connect to the access point and examine its logs for information.

Disconnect the access point from the network.

How well did you know this?

Not at all

Perfectly

You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?

Stop all running processes.

Turn off the system.

Remove the hard drive.

Document what is on the screen.

How well did you know this?

Not at all

Perfectly

When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?

Stop all running processes.

Turn off the system.

Remove the hard drive.

Document what is on the screen.

How well did you know this?

Not at all

Perfectly

What is the best definition of a security incident?

Interruption of productivity

Compromise of the CIA

Criminal activity

Violation of a security policy

How well did you know this?

Not at all

Perfectly

What is the purpose of audit trails?

To detect security-violating events.

To correct system problems.

To prevent security breaches.

To restore systems to normal operations.

To detect security-violating events.

How well did you know this?

Not at all

Perfectly

After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next?

Deploy new countermeasures.

Back up all logs and audits regarding the incident.

Restore and repair any damage.

Update the security policy.

Back up all logs and audits regarding the incident.

How well did you know this?

Not at all

Perfectly

Which of the following is an important aspect of evidence-gathering?

Restore damaged data from backup media.

Monitor user access to compromised systems.

Back up all log files and audit trails.

Purge transaction logs.

Back up all log files and audit trails.

How well did you know this?

Not at all

Perfectly

As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it?

Mitre Att@ck

Diamond Model of Intrusion Analysis

Cyber Kill Chain

Communication plan with stakeholders

Mitre Att@ck

How well did you know this?

Not at all

Perfectly

As a security analyst, you have discovered the victims of an malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims? (Select two.)

Disaster recovery plan

Mitre Att@cks

Cyber Kill Chain

Implement appropriate stakeholder management

Diamond Model of Intrusion Analysis

Mitre Att@cks

Diamond Model of Intrusion Analysis

How well did you know this?

Not at all

Perfectly

You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management. Which of the following documents should you create for this purpose?

Disaster recovery plan

Incident-response team charter

Business continuity plan

Communication plan

Business continuity plan

How well did you know this?

Not at all

Perfectly

Your browser has blocked your from your crucial secure intranet sites. What could be the problem?

You are using HTTP instead of HTTPS.

Your SSL certificate status has been revoked.

You misconfigured a content filter.

The firewall administrator set up a rule that blocked the users.

Your SSL certificate status has been revoked.

How well did you know this?

Not at all

Perfectly

You would like to make sure users are not accessing inappropriate content online at work. Which endpoint security strategy would you employ?

Content filtering
URL filters
Firewall rules
Mobile device management (MDM)

Content filtering

How well did you know this?

Not at all

Perfectly

You want to allow RDP 3389 traffic into your network for a group of users to access a particular workstation that has a special application in your office. Which endpoint security tool would you use to make this happen?

URL filters
Firewall rules
Data monitoring apps
Content filters

Firewall rules

How well did you know this?

Not at all

Perfectly

You need to remotely wipe an android phone for one of your rogue users. Which endpoint tool would you use?

Mobile application management (MAM)
Quarantining
MAM-WE
Mobile device management (MDM)

Mobile device management (MDM)

How well did you know this?

Not at all

Perfectly

This application endpoint-protection rule implicitly denies unless added to the rule. Which of the following processes describes this?

Content filtering
Blacklisting
Quarantining
Whitelisting

Whitelisting

How well did you know this?

Not at all

Perfectly

You would like to enhance your incident-response process and automate as much of it as possible. Which of the following elements would you need to include? (Select two.)

Blacklisting
Runbooks
Quarantining
Whitelisting
Playbooks

Runbooks
Playbooks

How well did you know this?

Not at all

Perfectly

You have detected and identified a security event. What’s the first step you should complete?

Containment
Segmentation
Isolation
Playbook

Containment

How well did you know this?

Not at all

Perfectly

You need to limit a compromised application from causing harm to other assets in your network. Which strategy should you employ?

SOAR
Isolation
Segmentation
Containment

Isolation

How well did you know this?

Not at all

Perfectly

You need to limit the impact of a security breach for a particular file server with sensitive company data. Which strategy would you employ?

Containment
Isolation
Segmentation
SOAR

Segmentation

How well did you know this?

Not at all

Perfectly

As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use?

SOAR
MDM
GDPR
MAM

SOAR

How well did you know this?

Not at all

Perfectly

Which of the following components are the SIEM’s way of letting the IT team know that a pre-established parameter is not within the acceptable range?

Dashboard
Trends
Sensors
Alerts

Alerts

How well did you know this?

Not at all

Perfectly

Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis?

Security log
Network log
Firewall log
Application log

Application log

How well did you know this?

Not at all

Perfectly

You suspect cache poisoning or spoofing has occurred on your network. Users are complaining of strange web results and being redirected to undesirable sites. Which log would help you determine what is going on?

Application logs
Security logs
DNS logs
Network logs

DNS logs

How well did you know this?

Not at all

Perfectly

You suspect a bad video driver is causing a user’s system to randomly crash and reboot. Where would you go to identify and confirm your suspicions?

Application logs
SIP logs
Dump files
Syslog

Dump files

How well did you know this?

Not at all

Perfectly

Which of the following is a standard for sending log messages to a central logging server? Syslog OVAL Nmap LC4

Syslog

You are concerned that an attacker can gain access to your web server, make modifications to the system, and alter the log files to hide his or her actions. Which of the following actions would best protect the log files? Use syslog to send log entries to another server. Configure permissions on the log files to prevent access. Take a hash of the log files. Encrypt the log files.

Use syslog to send log entries to another server.

Over the past few days, a server has gone offline and rebooted automatically several times. You would like to see a record of when each of these restarts has occurred. Which log type should you check? Security System Performance Firewall

System

Which log file type is one of the most tedious to parse but can tell you exactly when users log onto your site and what their location is? Web server logs System logs Event logs Authentication logs

Web server logs

You would like to get a feel for the amount of bandwidth you are using in your network. What is the first thing you should do? Create data points. Choose a protocol. Set intervals. Establish a baseline.

Establish a baseline.

You are worried about email spoofing. What can be put throughout an email's header that provides the originating email account or IP address and not a spoofed one? Timestamp Data points Metadata X-headers

X-headers

Which two types of service accounts must you use to set up event subscriptions? Local event administrators account Collector computer account Network server machine account Default machine account Specific user service account

Default machine account Specific user service account

By default, events received from the source computers in Event Subscription are saved in which log? Application log Forwarded Events log Security log System log

Forwarded Events log

You set up Event Subscription, but you are getting an overwhelming amount of events recorded. What should you do? Use the Runtime Status link Define a filter Choose the correct subscription type Use the default machine account

Define a filter

Which of the following are required to configure Event Subscription for event forwarding? (Select three.) Start Windows Event Collector service on collector computer. Give the subscription a name. Start Windows Remote Management service on both the source and collector computers. Configure the destination log. Configure Runtime Status. Create a Windows firewall exception for HTTP or HTTPS on all source computers. Create a filter.

Start Windows Event Collector service on collector computer. Start Windows Remote Management service on both the source and collector computers. Create a Windows firewall exception for HTTP or HTTPS on all source computers.

You are configuring a source-initiated subscription on the collector computer in Event Viewer. Which of the following do you need to specify? Computer Content filter System log Computer group

Computer group

For some reason, your source computers are not communicating properly with the collector. Which tool would you use to verify communications? Run winrm qc -q Runtime Status Event Viewer System log Run wecutil qc

Runtime Status

For source-initiated subscriptions, which tool do you use to configure event forwarding? Filter settings Group Policy Service account Event Viewer

Group Policy

You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ? HTTP or HTTPS Event forwarding Source-initiated Collector-initiated

Source-initiated

You want to set up a collector-initiated environment for event subscriptions. Which commands would you run? (Select two.) Run wecutil qc /q on the source computer Run winrm qc -q on the source computer. Run wecutil qc on the collector computer. Run winrm qc /q on the collector computer. Run wecutil qc on the source computer Run winrm qc -q on the collector computer.

Run winrm qc -q on the source computer. Run wecutil qc on the collector computer.

You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription? Event Viewer Computer Management Device Manager Local Group Policy

Event Viewer

What is the most important element related to evidence in addition to the evidence itself? Completeness Witness testimony Chain of custody document Photographs of the crime scene

Chain of custody document

The chain of custody is used for which purpose? Listing people coming into contact with the evidence Retaining evidence integrity Identifying the owner of the evidence Detailing the timeline between creation and discovery of evidence

Listing people coming into contact with the evidence

You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this? Rules of evidence CPS (certificate practice statement) Chain of custody FIPS-140

Chain of custody

How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence? Write a log file to the media Enable write protection Create a checksum using a hashing algorithm Reset the file attributes on the media to read-only

Create a checksum using a hashing algorithm

As a security analyst, you are configuring your environment to be able to properly gather digital forensic information. Which of the following must be set up to help create a timeline of events? Create a solid chain of custody that proves that no evidence-tampering has occurred. Create tags for all your IT assets so that they are easily identifiable and trackable. Make sure all client computers have their time set accurately by a time server. Create a report template that helps you describe the incident, how the evidence was analyzed, and the conclusions you came to.

Make sure all client computers have their time set accurately by a time server.

You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you use them in the future? Encrypt the logs. Create a hash of each log. Make two copies of each log and store each copy in a different location. Store the logs in an offsite facility.

Create a hash of each log.

What does the hashing of log files provide? Prevention of log files being altered or overwritten Proof that the files have not been altered Sequencing of files and log entries to recreate a timeline of events Prevention of the system running when the log files are full Confidentiality to prevent unauthorized reading of the files

Proof that the files have not been altered

Which method can you use to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence? Photographs File directory listing Serial number notation Hashing

Hashing

Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents. Which tool would you use to gather this information? Legal hold Timestamps Timeline of events Chain of custody

Legal hold

A forensic investigator gathers potential evidence from many software, hardware, and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of said data. Place the following items in the correct order of volatility in the gathering of potential evidence. (1-5) Swap/page file RAM Remote logs Hard Drive Archived data

1. RAM 2. Swap/page file 3. Hard drive 4. Remote logs 5. Archived data

You need to find the text string New Haven in 100 documents in a folder structure on a Linux server. Which command would you use? grep tail head chmod

grep

You would like to add some entries into the system log file. Which command would you use? cat logger grep chmod

logger

You would like to see only the last 15 lines of /home/user/logfile on your Linux machine. Which command line interface (CLI) command would you use? head -n 15 /home/user/logfile tail -n 15 /home/user/logfile tail -f /home/user/logfile cat -n 15 /home/user/logfile

tail -n 15 /home/user/logfile

A conditional statement that selects the statements to run depending on whether an expression is true or false is known as which of the following? If else statement If statement Else statement Else if statement

If else statement

Which of the following BEST describes a constant? A sequence of characters. A group of related data values or elements. A named unit of data that is assigned a value. Data or a value that does not change.

Data or a value that does not change.

!= or <> refers to Not Equal in which scripting language? PowerShell Bash Python PuTTY

Python

Which of the following BEST describes PuTTy? A mechanism that allows you to interact with the operating system directly. Open-source software that is developed and supported by a group of volunteers. A method that provides an encryption standard that's widely used by internet websites. A programming language for a special runtime environment that automates the execution of tasks.

Open-source software that is developed and supported by a group of volunteers.

Match each network sniffing method with the correct definition. MAC spoofing -Allows an attacker's computer to connect to a switch using an authorized MAC address. -The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address. -The MAC address of the attacker can be associated with the IP address of another host. -Creates a duplicate of all network traffic on a port and sends it to another device.

Allows an attacker's computer to connect to a switch using an authorized MAC address.

Match each network sniffing method with the correct definition. Port mirroring -Allows an attacker's computer to connect to a switch using an authorized MAC address. -The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address. -The MAC address of the attacker can be associated with the IP address of another host. -Creates a duplicate of all network traffic on a port and sends it to another device.

Creates a duplicate of all network traffic on a port and sends it to another device.

Match each network sniffing method with the correct definition. ARP poisoning -Allows an attacker's computer to connect to a switch using an authorized MAC address. -The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address. -The MAC address of the attacker can be associated with the IP address of another host. -Creates a duplicate of all network traffic on a port and sends it to another device.

The MAC address of the attacker can be associated with the IP address of another host.

Match each network sniffing method with the correct definition. MAC flooding -Allows an attacker's computer to connect to a switch using an authorized MAC address. -The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address. -The MAC address of the attacker can be associated with the IP address of another host. -Creates a duplicate of all network traffic on a port and sends it to another device.

The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address.

For some reason, when you capture packets as part of your monitoring, you aren't seeing much traffic. What could be the reason? You have multiple MAC addresses associated with one NIC. Your NIC is set to broadcasting instead of receiving. You forgot to turn on promiscuous mode for the network interface. Your machine is set to only capture HTTP packets.

You forgot to turn on promiscuous mode for the network interface.

You would like to simulate an attack on your network so you can test defense equipment and discover vulnerabilities in order to mitigate risk. Which tool would you use to simulate all the packets of an attack? Etherflood Wireshark TCPDump TCPReplay

TCPReplay

Which of the following is a recovery site that may have electricity connected, but there are no servers installed and no high-speed data lines present? Hot site Reciprocal agreement Warm site Cold site

Cold site

To prevent server downtime, which of the following components should be installed redundantly in a server system? Power supply CD or DVD drive RAM modules Floppy disk drive

Power supply

You have been asked to deploy a network solution that includes an alternate location where operational recovery is provided within minutes of a disaster. Which of the following strategies would you choose? Cold site Warm site Hot site Hot spare

Hot site

What is the primary security feature that can be designed into a network's infrastructure to protect and support availability? Switches instead of hubs Periodic backups Fiber optic cables Redundancy

Redundancy

Daily backups are completed at the ABD company location, and only a weekly backup is maintained at another network location. Which of the following disaster recovery strategies is ABD using? Cold site Hot spare Warm site Hot site

Warm site

Which of the following disk configurations might sustain losing two disks? (Select two.) RAID 1 RAID 1+0 RAID 0+1 RAID 5 RAID 0

RAID 1+0 RAID 0+1

You have a computer with three hard disks. A RAID 0 volume uses space on Disk 1 and Disk 2. A RAID 1 volume uses space on Disk 2 and Disk 3. Disk 2 fails. Which of the following is true? Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not. Data on the RAID 0 volume is accessible; data on the RAID 1 volume is not. Data on both volumes is not accessible. Data on both volumes is still accessible.

Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not.

Which of the following drive configurations is fault tolerant? RAID 0 RAID 5 Disk striping Expanded volume set

RAID 5

You have been asked to implement a RAID 5 solution for your network. What is the minimum number of hard disks that can be used to configure RAID 5? 2 3 4 5 6

Which of the following network strategies connects multiple servers together so that if one server fails, the others immediately take over its tasks, preventing a disruption in service? Clustering Adapter bonding Storage Area Networks (SANs) Mirroring

Clustering

A system failure has occurred. Which of the following restoration processes would result in the fastest restoration of all data to its most current state? Restore the full backup and all differential backups Restore the full backup and all incremental backups Restore the full backup and the last incremental backup Restore the full backup and the last differential backup

Restore the full backup and the last differential backup

Your disaster recovery plan calls for backup media to be stored at a different location. The location is a safe deposit box at the local bank. Because of this, the disaster recovery plan specifies that you choose a method that uses the least amount of backup media, but also allows you to quickly back up and restore files. Which backup strategy would BEST meet the disaster recovery plan? Perform a full backup each day of the week. Perform a full backup once per week and an incremental backup the other days of the week. Perform a full backup once per year and a differential backup for the rest of the days in the year. Perform a full backup once per month and an incremental backup the other days of the month. Perform a full backup once per week and a differential backup the other days of the week.

Perform a full backup once per week and a differential backup the other days of the week.

Your network uses the following backup strategy: Full backups every Sunday night Differential backups Monday night through Saturday night On Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data? 1 2 3 4 5

Which backup strategy backs up all files from a computer's file system, regardless of whether the file's archive bit is set or not, and then marks them as backed up? Full Copy Differential Incremental

Full

Your network performs a full backup every night. Each Sunday, the previous night's backup tape is archived. On a Wednesday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data? 1 2 3 4 5 6

Which of the following describes a system image backup? (Select two.) A system image only contains the operating system, installed programs, drivers, and user profile settings. A system image does not include operating system files, program files, encrypted files, files in the Recycle Bin, user profile settings, or temporary files. A system image includes only specified files and folders backed up to a compressed file. A system image backup consists of an entire volume backed up to .vhd files. A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files.

A system image backup consists of an entire volume backed up to .vhd files. A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files.

Which of the following are backed up during an incremental backup? Only files that have changed since the last full or differential backup. Only files that have changed since the last full backup. Only files that are new since the last full or incremental backup. Only files that have changed since the last full or incremental backup.

Only files that have changed since the last full or incremental backup.

Which of the following is true of an incremental backup's process? Backs up all files regardless of the archive bit and resets the archive bit. Backs up all files with the archive bit set and does not reset the archive bit. Backs up all files with the archive bit set and resets the archive bit. Backs up all files regardless of the archive bit and does not reset the archive bit.

Backs up all files with the archive bit set and resets the archive bit.

Your network uses the following backup strategy: Full backups every Sunday night Incremental backups Monday night through Saturday night On a Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data? 1 2 3 4 5

Why should backup media be stored offsite? To reduce the possibility of theft To prevent the same disaster from affecting both the network and the backup media To comply with government regulation To improve the efficiency of the restoration process

To prevent the same disaster from affecting both the network and the backup media

Chapter 12 Flashcards

(83 cards)