Operations and Incident Response Flashcards
What should you identify about a user before implementing the principle of least privilege?
User’s job function
To provide checks and balances and to prevent one person from gaining too much power over a system, which type of security policy should you implement?
Separation of duties
What are the three basic questions answered by the chain of custody?
- Who controlled the evidence
- Who secured the evidence
- Who obtained the evidence
Which policy should be reviewed by the security administrator to determine what data is allowed to be collected from users of the corporate Internet-facing Web application?
Company’s privacy policy
What document lists the steps to take in case of a disaster to your main IT site?
Disaster Recovery Plan (DRP)
Why should a first responder be familiar with the incident response plan?
To ensure that the appropriate procedures are followed
What is the proper life cycle of evidence steps?
Collection, analysis, storage, court presentation, and return to owner
What must you do for an effective security auditing policy, besides creating security logs?
Analyze the logs
Which assessment examines whether network security practices follow a company’s security policy?
Audit
Who is responsible for most security incidents in an organization?
Employees
What is meant by the term legal hold?
A process that an organization uses to preserve all forms of relevant information when preservation is needed for litigation
Why should the proper chain of custody be ensured?
So that evidence will be admissible in court
What is wireshark?
A protocol analyzer or packet sniffer
Which policy defines the technical means that are used to protect data on a network?
Security policy
According to the CompTIA Security+ blueprint, what are the six steps in the incident response process?
- Preparation
- Identification
- Containment
- Eradication
- Recovery
Which log in Event View should you open to view events that are generated based on your auditing settings?
Security log
When evidence is seized, which principle should be emphasized?
Chain of custody
What is the primary goal of business continuity planning?
Maintain the organization
Which document is used when it is necessary to invoke legal action against an employee for inappropriate use of computer resources?
Acceptable use policy
What is the name of the process for removing only the incriminating data from the audit logs
Scrubbing
What are correlation engines
Applications that examine relationships between entries in firewall logs to understand possible attacks
What is the name of the group of people appointed to respond to security incidents?
Incident response team
Which security measure prevents fraud by reducing the chances of collision?
Separation of duties
Which team is responsible for restoring critical business functions at an alternate site in the event of disruption?
Recovery team
