Security Operations

Question 1

What outlines the scope, objectives, limitations, and boundaries of a penetration test?

Answer 1

Rules of Engagement (RoE)

Question 2

What is active reconnaissance?

Answer 2

• When a pen-tester actively probes and scans the target environment to gather information
• Ex. Port/service scans, vulnerability scans

Question 3

What is passive reconnaissance?

Answer 3

• Involves gathering information without directly interacting with the target systems
• Ex. Monitoring traffic or analyzing publicly available information

Question 4

What is required for an organization to properly manage its restore process in the event of system failure?

Answer 4

DRP (Disaster Recovery Plan)

Question 5

What is the purpose of a RPO?

Answer 5

Covers the amount of data that is expected to be recovered given a failure

Question 6

If you wanted to inspect data about an executable than ran on a employee’s laptop, what logs would you use?

Answer 6

Endpoint/host logs

Question 7

What is the purpose of a DRP?

Answer 7

A plan for the whole recovery process necessary to restore the system

Question 8

What is it called when an analyst proactively searches for signs of compromise or suspicious actives within the network?

Answer 8

Threat hunting

Question 9

What encryption technique would you use to protect data on an employees’ laptop?

Answer 9

Full disk encryption

Question 10

What should a security administrator adhere to when setting up a new set of firewall rules?

Answer 10

Change management procedure

Question 11

What is it called when companies pay non-employees to find vulnerabilities?

Answer 11

Bug bounty

Question 12

What document would a company provide to a client to outline the project, cost, and the completion time frame?

Answer 12

SOW (Statement of Work)

Question 13

What should be done first when a high-priority patch to a production system needs to be applied?

Answer 13

Create a change control request

Question 14

Why should root cause analysis be conducted as part of incident response?

Answer 14

To prevent future incidents of the same nature

Question 15

What is the most likely outcome if a large bank fails an internal PCI DSS compliance assessment?

Answer 15

Audit findings

Question 16

What is it when a company determines the staffing levels needed to sustain business operations during a disruption?

Answer 16

• Capacity planning
• This ensures that the organization has sufficient human resources to maintain essential functions and minimize downtime

Question 17

What is it called when a company required hard drives to be securely wiped before sending decommissioned systems to recycling?

Answer 17

Sanitization

Question 18

What data classification should be used to secure and protect patient data?

Answer 18

Sensitive

Question 19

What team can a company hire to perform an offensive security assessment covering penetration testing and social engineering?

Answer 19

Red

Question 20

What team would perform a defensive security assessment?

Answer 20

Blue

Question 21

What can be used to identify potential attacker activities without affecting production servers?

Answer 21

Honeypot

Question 22

What is the process called when an incident response team engages in the process of understanding the source of an incident?

Answer 22

Analysis

Question 23

What should be done after a security network completes a vulnerability assessment of the network and remedies the vulnerabilities?

Answer 23

Rescan the network

Question 24

What does automation involve?

Answer 24

Using tools and scripts to regularly check and report on the security settings of servers

Question 25

What script should you write to streamline account creation?

Answer 25

User provisioning script

Question 26

What type of control is described by a company setting up a SIEM system and assigning an analyst to review the logs on a weekly basis?

Answer 26

Detective

Question 27

What is tuning?

Answer 27

Setting a monitoring system to have higher, or lower threat detection standards

Question 28

What is the primary security concern of setting up a BYOD program?

Answer 28

Jailbreaking

Question 29

What is ARO?

Answer 29

* Annualized Rate of Occurrence * This estimated the frequency with which a specific risk or event is expected to occur in a year * Helps assess the likelihood of risks

Question 30

What is RTO?

Answer 30

* Recovery Time Objective * The maximum acceptable amount of time that a system or application can be down after a failure/disaster

Question 31

What would a company use to decide if they should reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks?

Answer 31

ARO

Question 32

In what phase of the incident response process does a security analyst review roles and responsibilities?

Answer 32

Preparation

Question 33

What should a security administrator set up so they can secure data by tracking changes in an environment?

Answer 33

FIM (File Integrity Monitoring)

Question 34

What is FIM?

Answer 34

* File Integrity Monitoring * A security technology that monitors and detects changes in files * Can track modifications, access, or deletions of files and notify administrators of any changes

Question 35

When implementing FDE on all laptops in an organization, what are two important considerations to make?

Answer 35

* Key escrow * TPM presence

Question 36

What is the purpose of key escrow?

Answer 36

To ensure encryption keys can be recovered in case they are lost or forgotten

Question 37

What is TPM presence?

Answer 37

* A hardware-based security feature that can store encryption keys securely * Enhances the security of FDE by protecting the keys from being accessed or tampered with

Question 38

What incident response activity ensures evidence is properly handled?

Answer 38

Chain of custody

Question 39

What does orchestration refer to?

Answer 39

The automated configuration, management, and coordination of systems, apps and services

Question 40

In the context of data roles, the customer whose sensitive data is being collected, modified, and stored is referred to as what?

Answer 40

Subject

Question 41

What is used to quantitatively measure the criticality of a vulnerability?

Answer 41

* CVSS * Common Vulnerability Scoring System

Question 42

An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system, what best describes this action?

Answer 42

Compensating controls

Question 43

What is the most common data loss path for an air-gapped network?

Answer 43

Removable devices

Question 44

An administrator reviewed log files after a ransomware attack, what control type is this?

Answer 44

Detective

Question 45

A security analyst locates a potentially malicious video file on a server and needs to identify both the creation date and the file's creator. How should they get the information required?

Answer 45

Query the file's metadata

Question 46

What team combines both offensive and defensive testing techniques to protect an organization's critical systems?

Answer 46

Purple

Question 47

What is the primary security implication of using end-of-life operating systems?

Answer 47

Lack of patch availability

Question 48

What would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed?

Answer 48

A full inventory of all hardware and software

Question 49

What strategy must be employed to ensure data loss is prevented on stolen laptops?

Answer 49

Encryption at rest

Question 50

What should an administrator do to prevent users from being able to access data based on their responsibilities in a simple format?

Answer 50

RBAC

Question 51

What access management concepts will a company most likely use to safeguard intranet accounts and grant access to multiple sites based on a user's intranet account?

Answer 51

* Federation * Password complexity

Question 52

What is a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system?

Answer 52

SIEM

Question 53

What is the best way to handle a critical business application that is running on a legacy server?

Answer 53

Segmentation

Question 54

What risk management strategy should an enterprise adopt first if a legacy application is critical to business operations and there are preventative controls that are not yet implemented?

Answer 54

Mitigation

Question 55

What is the best way to secure an on-site data center against intrusion from an insider?

Answer 55

Access badge

Question 56

The local administrator account for a company's VPN appliance was unexpectedly used to log in to the remote management interface. What would most likely prevent this from happening?

Answer 56

Changing the default password

Question 57

What is ALE (Annual Loss Expectancy)

Answer 57

Represents the expected monetary loss for an asset due to a risk over a year

Question 58

What would be most useful in determining whether the long-term cost to transfer a risk is less than the impact of the risk?

Answer 58

ALE

Question 59

What logs would you analyze to identify the impacted host in a command-and-control server incident?

Answer 59

DHCP and Firewall

Question 60

What is a backout plan?

Answer 60

* A backout plan is a predefined strategy to reverse and recover from changes made to a system if the changes produce undesirable results * It's a safety measure that ensures data integrity and system availability.