Security Training and Incident Response

Question 1

You have received a call from the legal department to halt regular operations due to pending litigation by a disgruntled former employee. What is this called?

Litigation review

Legal policy

Legal hold

Answer 1

Legal hold

A legal hold is a formal directive from legal counsel that puts the organization into data collection and preservation mode in the event of pending litigation, investigation, audit, or other circumstance where the data may be required

Question 2

You are the first responder to a security incident in which a database server has been compromised and has crashed. Which of the following actions should be performed to help preserve evidence of the incident?

Save access logs and a current memory dump.

Restart the system to restore operations.

Perform a backup of the database.

Answer 2

Save access logs and a current memory dump.

Any current logs and memory dumps should be saved to make sure you have evidence of all activity during the time of the incident. If you reboot the server to get it functioning again, you can lose valuable log data or data residing in memory

Question 3

You are collecting forensic evidence from a recent network intrusion, including firewall logs, access logs, and screen captures of the intruder’s activity. Which of the following concepts describes the procedures for preserving the legal ownership history of evidence from the security incident?

Damage control

Audit trail

Chain of custody

Answer 3

Chain of custody

Keeping a chain of custody requires all evidence to be properly labeled with information on who secured and validated the evidence. This can ensure the evidence wasn’t tampered with in any way since the time it was collected

Question 4

A network administrator has discovered the company’s File Transfer Protocol (FTP) server has been hacked. Which of the following items would be the most important to collect and preserve as evidence?

Server memory dump

List of user accounts

Access activity log

Answer 4

Access activity log

The activity log will show what times the attacker was performing hacking activities and what those activities were. This evidence might be able to be used in court to help prosecute the attacker if he is caught

Question 5

You have been contacted by your company’s CEO after she received a personalized but suspicious e-mail message from the company’s bank asking for detailed personal and financial information. After reviewing the message, you determine that it did not originate from the legitimate bank. Which of the following security issues does this scenario describe?

Dumpster diving

Phishing

Whaling

Answer 5

Whaling

Whaling is a type of phishing attack that is targeted at a specific high-level user. The victim is usually a high-profile member of the organization who has much more critical information to lose than the average user. The messages used in the attack are usually crafted and personalized toward the specific victim user

Question 6

During your user awareness training, which of the following actions would be the best security practice for your users to help prevent malware installation from phishing messages?

Forwarding suspicious messages to other users

Not clicking links in suspicious messages

Checking e-mail headers

Answer 6

Not clicking links in suspicious messages

To help prevent malware from being installed, it is a best practice to make your users aware that they should never click links in a suspicious message. The link can take the user to a malicious website that could automatically install malware on their computer through their web browser

Question 7

After recent security issues with certain types of development documents being leaked out of the organization, what security policy can you implement to help improve user awareness of what types of documents can be transmitted outside of the organization?

Document security classifications

Clean desk policy

Tailgating policy

Answer 7

Document security classifications

By classifying all your documents, you will inform users as to which types of documents are marked “confidential” and must never be transmitted outside of the organization through e-mail, fax, or other communications. Other document types that do not contain confidential information can be marked as “public” and freely distributed

Question 8

A web server recently crashed because of a denial-of-service attack against it. Based on the order of volatility, which of the following pieces of evidence would you preserve first?

Website data

Screen capture of crash error message

Printout of web access logs

Answer 8

Screen capture of crash error message

When collecting forensic data evidence, be aware that certain types of data are more volatile over time. In this case, the error message on the web server should be captured as a screenshot before the server is restarted. The message will disappear, and unless it appears in the logs, you may have no other record of it

Question 9

After collecting several log files as evidence for a hacking incident against your web server, what should you do to help preserve the legal integrity of the logs to prove they have not been tampered with?

Print a hard copy of the log files.

Encrypt the logs.

Perform a hash on each file.

Answer 9

Perform a hash on each file.

You must be able to prove that the log files have not been tampered with since they were captured. You can create an MD5 hash of the file immediately after the incident to create a “fingerprint” for a message that you can compare to the original file at a later time

Question 10

Threat actors are generally categorized by which of the following? (Choose all that apply.)

Intent

Resources

Internal/external

Nationality

Answer 10

Intent

Resources

Internal/external

Threat actors are generally bucketed using the following attributes: level of sophistication, resources/funding, intent/motivation, and whether they are internal or external in nature