Practice Tests - Chapter 4: Reporting and Communication Flashcards
4- Ben is preparing to conduct a vulnerability scan for a new client of his security consulting organization. Which one of the following steps should Ben perform first?
- Conduct penetration testing.
- Run a vulnerability evaluation scan.
- Run a discovery scan.
- Obtain permission for the scans.
Obtain permission for the scans.
Ben should obtain permission from the client to perform scans before engaging in any other activities. Failure to do so may violate the law and/or anger the client.
6- Grace ran a vulnerability scan and detected an urgent vulnerability in a public‐facing web server. This vulnerability is easily exploitable and could result in the complete compromise of the server. Grace wants to follow best practices regarding change control while also mitigating this threat as quickly as possible. What would be Grace’s best course of action?
- Initiate a high‐priority change through her organization’s change management process and wait for the change to be approved.
- Implement a fix immediately and document the change after the fact.
- Schedule a change for the next quarterly patch cycle.
- Initiate a standard change through her organization’s change management process.
Implement a fix immediately and document the change after the fact.
In this situation, Grace is facing a true emergency. Her web server has a critical vulnerability that is exposed to the outside world and may be easily exploited. Grace should correct the issue immediately, informing all relevant stakeholders of the actions that she is taking. She can then follow up by documenting the change as an emergency action in her organization’s change management process. All of the other approaches in this question introduce an unacceptable delay.
9- Gene runs a vulnerability scan of his organization’s datacenter and produces a summary report to share with his management team. The report includes the chart shown here. When Gene’s manager reads the report, she points out that the report is burying important details because it is highlighting too many unimportant issues. What should Gene do to resolve this issue?
(look up diagram in book)
- Tell his manager that all vulnerabilities are important and should appear on the report.
- Create a revised version of the chart using Excel.
- Modify the sensitivity level of the scan.
- Stop sharing reports with the management team.
Modify the sensitivity level of the scan.
Gene’s best option is to alter the sensitivity level of the scan so that it excludes low‐importance vulnerabilities. The fact that his manager is telling him that many of the details are unimportant is his cue that the report contains superfluous information. Although he could edit the chart manually, he should instead alter the scan settings so that he does not need to make those manual edits each time he runs the report.
DRP
Disaster Recovery Plan
BIA
Business Impact Assessment
12- Zhang Wei is evaluating the success of his vulnerability management program and would like to include some metrics. Which one of the following would be the least useful metric?
- Time to resolve critical vulnerabilities
- Number of open critical vulnerabilities over time
- Total number of vulnerabilities reported
- Number of systems containing critical vulnerabilities
Total number of vulnerabilities reported
Zhang Wei should likely focus his efforts on high‐priority vulnerabilities, as vulnerability scanners will report results for almost any system scanned. The time to resolve critical vulnerabilities, the number of open critical vulnerabilities over time, and the number of systems containing critical vulnerabilities are all useful metrics. The total number of reported vulnerabilities is less useful because it does not include any severity information.
14- Abdul received the vulnerability report shown here for a server in his organization. The server runs a legacy application that cannot easily be updated. What risks does this vulnerability present?
(look up diagram in book)
- Unauthorized access to files stored on the server
- Theft of credentials
- Eavesdropping on communications
- All of the above
All of the above
The use of FTP is not considered a good security practice. Unless tunneled through a secure protocol, FTP is unencrypted, allowing an attacker to eavesdrop on communications and steal credentials that may be transmitted over FTP links. Additionally, this vulnerability indicates that an attacker can gain access to the server without even providing valid credentials.
BPA
business partnership agreement
16- Raul is replacing his organization’s existing vulnerability scanner with a new product that will fulfill that functionality moving forward. As Raul begins to build the policy, he notices some conflicts in the scanning settings between different documents. Which one of the following document sources should Raul give the highest priority when resolving these conflicts?
- NIST guidance documents
- Vendor best practices
- Corporate policy
- Configuration settings from the prior system
Corporate policy
Of the documents listed, only corporate policy is binding on Raul, and he should ensure that his new system’s configuration complies with those requirements. The other sources may provide valuable information to inform Raul’s work, but compliance with them is not mandatory.
20- Maria discovered an operating system vulnerability on a system on her network. After tracing the IP address, she discovered that the vulnerability is on a proprietary search appliance installed on her network. She consulted with the responsible engineer who informed her that he has no access to the underlying operating system. What is the best course of action for Maria?
- Contact the vendor to obtain a patch.
- Try to gain access to the underlying operating system and install the patch.
- Mark the vulnerability as a false positive.
- Wait 30 days and rerun the scan to see whether the vendor corrected the vulnerability.
Contact the vendor to obtain a patch.
Maria should contact the vendor to determine whether a patch is available for the appliance. She should not attempt to modify the appliance herself, as this may cause operational issues. Maria has no evidence to indicate that this is a false positive report, and there is no reason to wait 30 days to see whether the problem resolves itself.
22- Thomas discovers a vulnerability in a web application that is part of a proprietary system developed by a third‐party vendor, and he does not have access to the source code. Which one of the following actions can he take to mitigate the vulnerability without involving the vendor?
- Apply a patch.
- Update the source code.
- Deploy a web application firewall.
- Conduct dynamic testing.
Deploy a web application firewall.
Thomas can deploy a web application firewall to block attempts to exploit the vulnerability. Applying a patch or updating the source code may also resolve the issue, but Thomas cannot do this himself because he does not have access to the source code. Dynamic testing identifies vulnerabilities but does not correct them.
24- The company that Brian works for processes credit cards and is required to be compliant with PCI DSS. If Brian’s company experiences a breach of card data, what type of disclosure will they be required to provide?
- Notification to local law enforcement
- Notification to their acquiring bank
- Notification to federal law enforcement
- Notification to Visa and MasterCard
Notification to their acquiring bank
Organizations that process credit cards work with acquiring banks to handle their card processing, rather than directly with the card providers. Notification to the bank is part of this type of response effort. Requiring notification of law enforcement is unlikely, and the card provider listing specifies only two of the major card vendors, none of which are specified in the question.
25- As Lauren prepares her organization’s security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness?
- Attrition
- Impersonation
- Improper usage
- Web
Improper usage
Improper usage, which results from violations of an organization’s acceptable use policies by authorized users, can be reduced by implementing a strong awareness program. This will help ensure users know what they are permitted to do and what is prohibited. Attrition attacks focus on brute‐force methods of attacking services. Impersonation attacks include spoofing, man‐in‐the‐middle attacks, and similar threats. Finally, web‐based attacks focus on websites or web applications. Awareness may help with some specific web‐based attacks like fake login sites, but many others would not be limited by Lauren’s awareness efforts.
Attrition Attacks
focus on brute‐force methods of attacking services
Impersonation attacks
include spoofing, man‐in‐the‐middle attacks, and similar threats
26- Laura wants to ensure that her team can communicate during an incident. Which of the following should the team prepare to be ready for an incident?
- A second, enterprise authenticated messaging system
- An enterprise VoIP system using encryption
- Enterprise email with TLS enabled
- A messaging capability that can function if enterprise authentication is unavailable
A messaging capability that can function if enterprise authentication is unavailable
A distinct messaging system that can work if enterprise services are unavailable due to an incident can be a critical factor for IR teams. Whether it’s a phone tree, a collaboration system that also allows distinct logins that are not part of enterprise authentication, or another solution, IR teams often need a system that is separate during wide‐ranging incidents.
29- NIST SP 800‐61 identifies six outside parties that an incident response team will typically communicate with. Which of the following is not one of those parties?
- Customers, constituents, and media
- Internet service providers
- Law enforcement agencies
- Legal counsel
Legal counsel
NIST identifies customers, constituents, media, other incident response teams, Internet service providers, incident reporters, law enforcement agencies, and software and support vendors as outside parties that an IR team will communicate with.
NIST SP 800‐61 identifies six outside parties that an incident response team will typically communicate with. Who?
- customers, constituents, media,
- other incident response teams,
- Internet service providers
- incident reporters,
- law enforcement agencies
- software and support vendors
30- Ben works at a U.S. federal agency that has experienced a data breach. Under FISMA, which organization does he have to report this incident to?
- US‐CERT
- The National Cyber Security Authority
- The National Cyber Security Centre
- CERT/CC
US‐CERT
FISMA requires that U.S. federal agencies report incidents to US‐CERT. CERT/CC is the coordination center of the Software Engineering Institute and researches software and Internet security flaws as well as works to improve software and Internet security. The National Cyber Security Authority is Israel’s CERT, whereas the National Cyber Security Centre is the UK’s CERT.
33- Craig is revising his organization’s incident response plan and wants to ensure that the plan includes coordination with all relevant internal and external entities. Which one of the following stakeholders should he be most cautious about coordinating with?
- Regulatory bodies
- Senior leadership
- Legal
- Human resources
Regulatory bodies
All of these stakeholders should be included in the planning for an incident response program. However, Craig should be most careful about coordinating with external entities, such as regulatory bodies, because of their enforcement role. He should plan to coordinate more freely with internal entities, such as senior leadership, legal, and human resources.
34- The vulnerability management action plan that was sent to Jacinda notes that a critical application that her organization uses relies on an insecure version of a software package because of a long‐standing workflow requirement. Jacinda’s organization’s best practices state that the organization will select the most secure option that also permits business to be conducted. What should Jacinda do?
- Mark the vulnerability as “ignored.”
- Change the business requirements to enable the vulnerability to be handled.
- Disable the service.
- Install a third‐party patch for the service.
Change the business requirements to enable the vulnerability to be handled.
Jacinda knows that reviewing business processes to see if they can be changed to use a secure version of the software package may require some business process changes but is often a possible solution. Ignoring the vulnerability isn’t secure, turning off the service will disrupt the business itself, and third party patches rarely exist and are seldom a preferred solution.
37- Jason is required to notify the company that provides credit card processing services to his organization if an incident impacting credit card data occurs. What type of communications does he need to perform?
- Regulatory reporting
- Customer communications
- Law enforcement communications
- None of the above
None of the above
Payment card industry requirements contractual, not regulatory. Jason’s organization is the customer, and law enforcement communication is not required by PCI.
41- The incident response report that Brian is reading includes a statement that says “Impacted systems were limited to those in the organization’s AWS VPC.” What part of an incident response report will typically contain this type of information?
- The timeline
- The evidence statement
- The impact statement
- The scope statement
The scope statement
Scope statements are used to explain and define which systems, services, or infrastructure components were part of an incident. Timelines are used to show when events occurred in relation to each other. Evidence is provided as part of a report to show what was found and how it was interpreted. Impact statements describe what the incident’s results or outcome was for the organization.
42- Nila’s incident response team has discovered evidence of an employee who may have been engaged in criminal activity while they were conducting an incident investigation. The team has suggested that law enforcement should be contacted. What significant concern should Nila raise about this potential communication?
- Law enforcement can’t enforce organizational policy.
- Law enforcement engagement may hinder the organization’s ability to respond or operate.
- Law enforcement involvement may create communications issues.
- Law enforcement may arrest a critical employee.
Law enforcement engagement may hinder the organization’s ability to respond or operate.
Since the violation is only an organizational policy, Nila should note that law enforcement engagement may hinder the organization’s ability to respond or operate. Law enforcement isn’t being asked to enforce organizational policy, the more pressing issue is interruption of business instead of communications issues, and if the employee violated the law an arrest may happen anyway.
