Cybersecurity Practices and Incident Response

Questions and Answers

What would be the most effective immediate response to a cybersecurity incident?

• Purchase cybersecurity insurance
• Implement an exception for all data center services
• Move the servers to a protected segment (correct)
• Hire a third-party to perform an extensive audit

Which term best describes the steps for processing orders during an Internet connection failure?

• Platform diversity
• Continuity of operations (correct)
• Cold site recovery
• Tabletop exercise

What method would best facilitate credential examination for individuals entering a data center?

• Biometric access systems (correct)
• Manual entry systems
• Visitor logs
• Security badges with RFID

Which approach is characterized by a third-party gathering information without direct access to a company's internal network?

Passive reconnaissance (A)

How would you best describe a strategy involving some employee information encrypted and other data in plaintext?

Hybrid encryption (C)

What mechanism determines how to handle an email from a third-party if the sending server is not on the authorized list?

SPF (B)

To minimize database corruption during unexpected power loss, which strategy should be employed?

Journaling (C)

Which type of threat actor typically targets systems to achieve direct financial gain?

Organized crime (D)

What is the best approach to establish security policy rules for corporate mobile devices?

Mobile device management solutions (D)

What should a security engineer do if a significant vulnerability in Windows servers has not been patched?

Prioritize the patching process (D)

What term best describes a system being compromised through an existing known vulnerability?

Exploit vulnerability (C)

Which of the following practices is essential for managing additional information from users while keeping it separate from company data?

Data segregation frameworks (C)

In building an ambulance service network, what aspect should be prioritized to ensure effectiveness?

System availability (D)

What does a text alert received for changes in access rights on a database signify?

Automation (C)

What is the best measure to prevent potential data exfiltration via external storage drives?

Blocking the use of removable media (D)

What describes an alert system that informs when access rights are modified on sensitive databases?

Intrusion detection system (IDS) (B)

Which of the following would MOST likely describe the issue where users are being directed to a different IP address than the bank's web server?

DNS poisoning (C)

Which of the following considerations are MOST commonly associated with a hybrid cloud model?

Network protection mismatches (C)

What would be the BEST method for a security administrator to ensure that former employees cannot access company systems?

Verify account access after disabling access (C)

Which term is used to describe how cautious an organization might be regarding a specific risk?

Risk appetite (D)

Which of the following describes the type of data created by a company that generates standard government reports each calendar quarter?

Regulated (D)

After a critical error occurs following a patching process on a web server, which action should be taken NEXT?

Follow the steps listed in the backout plan (C)

What BEST describes an attack in which specially crafted packets are sent to crash a server?

DDoS (B)

What should be implemented by the security team of an insurance company to meet requirements for data breach policies?

Use a centralized authentication server (A), Implement data access GPS logging (D)

Which part of the incident response process best describes a security administrator building new servers and security systems to get financial systems back online?

Recovery (C)

What preventative measure can be taken to minimize the risk of Microservice outages in a hybrid cloud environment?

Implementing API gateways (B)

From the firewall logs indicating a Trojan was blocked, what can be observed regarding the IP addresses involved?

The source IP is the internal network address (A)

What approach should be taken to effectively manage the risk of data breaches in a large organization?

Regular security audits and vulnerability assessments (A)

What is the most likely reason for the breach of private company information after installing new wireless access points?

Misconfiguration (A)

What is the MOST likely reason for receiving a 'Your connection is not private' error?

An on-path attack intercepting connections (B)

Which of the following would be the LEAST effective method for ensuring a website maintains a login with existing credentials from a third-party site?

Store user credentials on the website (B)

How can the absence of a patch for a significant vulnerability in an Internet-facing firewall be best described?

End-of-life (A)

What describes the disaster recovery exercise involving IT and senior directors discussing processes during a simulated disaster?

Training (D)

How often should the firewall hardware be expected to fail between repairs in terms of uptime contracts?

The expected average failure rate should align with industry standards (B)

What is the best way for a security administrator to block users from visiting websites hosting malicious software?

DNS filtering (D)

What is one of the security measures that should be taken for data access outside of normal working hours?

Enforce immediate logging and alerting for such access (C)

What action is indicated by the firewall logs showing an alert for a Trojan blocking?

The Trojan was intercepted before execution (D)

Which incident response step is the system administrator following when imaging the operating system to a known-good version after a malware infection?

Recovery (A)

What describes the process of placing a SCADA system on a segmented network with limited access?

Network segregation (C)

Which of the following is NOT a common feature of a disaster recovery plan discussed during an exercise?

Financial projections (B)

Which option is most likely to be included in a company's quarterly security awareness campaign?

Suspicious message reports from users (B)

To prevent the reintroduction of a vulnerability that was previously patched, which measure should the security administrator implement?

Change management (A)

Which method is the best approach to ensure unique hashes during the application login process?

Salting (B)

What best describes the implementation of SCAP in an organization's security monitoring?

Automate the validation and patching of security issues (A)

Who is responsible for managing access rights to a large database containing customer information?

Data owner (A)

With the addition of a 'Private' classification to a content management system, what is the primary purpose this change likely serves?

Provide additional granularity in data classification (B)

Which security practice is focused on ensuring software patches do not reintroduce previous vulnerabilities?

Patch management (C)

In a security awareness campaign, which method would be least effective in improving user detection of phishing attempts?

Monitoring email attachments for malware (B)

Flashcards

Passive reconnaissance

Gathering information about a company's systems and data without direct network access, using publicly available sources.

Sender Policy Framework (SPF)

A process that checks email sender authenticity by verifying if the sender is authorized to send emails on behalf of a domain.

Organized crime

A group of individuals with the primary motivation of obtaining financial gains through cyberattacks.

Known vulnerability

A vulnerability that has been identified and documented, but for which a patch or fix is not yet available.

System availability

The critical factor for an emergency medical dispatching network. Ensuring the system is always available for critical calls.

Access rights change alert

An automated alert triggered when access rights to sensitive data are changed.

Removable media blocking

A security measure to prevent data exfiltration using external storage drives.

Access control

A security control that prevents unauthorized access to sensitive information by verifying user credentials.

Continuity of operations

A process of planning and preparing for a disruption in normal business operations, ensuring continued business operations despite an incident.

Journaling

A strategy for minimizing data loss during a power outage by maintaining a log of all database transactions.

Mobile device security

Securing an organization's mobile devices with policies requiring automatic screen locks, location tracking, and data separation.

Cold site recovery

A type of recovery plan that involves quickly rebuilding a system or network at an alternate site, designed for immediate resumption of operations.

Protected segment

Protecting a data center's critical systems by moving them to a physically segregated area with enhanced security measures.

Full-disk encryption

A technique that encrypts all data stored on a hard drive, providing comprehensive data protection even if the physical drive is compromised.

Tabletop exercise

A planned simulation of a disaster scenario to test an organization's preparedness and response procedures.

Regulated data

Data generated from regular government reports, created quarterly by a company.

Data breach policies

A set of security measures taken to prevent and manage data breaches. They include measures like access logging, data access restrictions, and reporting.

Access logs

A security measure that records all actions taken on a system, including user logins, data access, and system changes.

Geolocation restrictions

A security control that ensures data access only occurs from authorized locations.

Time-of-day restrictions

A security measure that enforces rules based on the time of day. For example, preventing access to sensitive data outside of business hours.

On-path attack (Man-in-the-middle)

A malicious attack where an attacker intercepts communication between two parties, potentially modifying or stealing data.

Single sign-on (SSO)

A website login method that lets users access a website using their existing account credentials from a third-party platform.

Centralized logging

A security measure that ensures all access attempts to sensitive data are recorded in a centralized location, making it easier to audit and analyze.

Recovery in Incident Response

Restoring financial systems after a security incident by building new servers and security systems.

End-of-Life (EOL)

A situation where a system, software, or hardware reaches the end of its support lifecycle and is no longer supported by its vendor.

Disaster Recovery Exercise

An exercise to test an organization's disaster recovery plan by simulating a disaster and allowing participants to practice response procedures.

Blocking Malicious Websites

Using DNS filtering to block access to websites known to host malicious software.

System Recovery

A process where a system administrator restores an infected system to a known-good state by imaging the operating system.

Network Segmentation

Isolating a sensitive system, like a SCADA system, on a separate network with limited access to prevent unauthorized access.

Unpatched Vulnerability

A vulnerability for which a patch is not available, and the vendor has no plans to create one.

Race Condition

A type of security attack that exploits a race condition in software, allowing attackers to gain unauthorized access or privileges.

DNS Poisoning

A cyberattack that redirects users to a fake website, often mimicking the legitimate site, with the aim of stealing their credentials or infiltrating their systems.

DDoS Attack

A type of attack that overwhelms a server with a flood of traffic, making it unavailable to legitimate users.

Risk Appetite

This security measure aims to mitigate risks by defining an organization's willingness to accept specific risks.

Backout Plan

A set of actions an organization takes to recover from a security incident, usually after a system failure or patch installation goes wrong. This plan outlines the steps involved in reversing the change and restoring normal operations.

Privilege Escalation

An attack where an attacker exploits vulnerabilities in a system to gain unauthorized access to its resources, often with the goal of manipulating system privileges.

DDoS Attack (using packets)

A type of attack where an attacker sends a malicious packet to exploit vulnerabilities in a server's operating system, often causing the server to crash or become unstable.

Study Notes

Third-Party Information Gathering

• A company hired a third party to gather information about their servers and data.
• The third party cannot directly access the internal network.
• The best description of this approach is passive reconnaissance.

Email Server Message Disposition

• A company's email server received an email from a third party.
• The origin server didn't match authorized devices.
• Disposition of the message is determined using SPF, NAC, DMARC, or DKIM.

Threat Actor Financial Motive

• The threat actor most likely to attack systems for financial gain is organized crime.

Security Vulnerability Description

• A server was compromised due to a known operating system vulnerability.
• This finding is BEST described as a known operating system vulnerability exploit.

Emergency Medical Dispatch Priority

• System availability is the highest priority for an ambulance service network.

Database Access Alert Description

• A text alert was triggered when access rights were changed on a database containing private customer information.
• The alert describes a security concern about database access rights.

Data in Use, Obfuscated Data, Trade Secrets, and Regulated Data

• Data in use is data that is currently being used by a system.
• Obfuscated data is data that has been made difficult to understand.
• Trade secrets are confidential information that gives a company a competitive edge.
• Regulated data is data that is subject to government regulations.

Data Breach Policies and Requirements

• Data access records from all devices must be saved and archived.
• Data access outside of normal working hours must be reported immediately.
• Data access must occur only within the country.
• Access logs, and audit reports must be created from a single database.
• Security team will need to use GPS location, data account authentication server, and access logs and audit reports from a single database to meet these requirements.

Firewall Log Information

• A firewall log shows that a Trojan attempt was blocked from a specific IP address. The victim's IP address is 136.127.92.171.

Third-Party Website Certification Issue

• A user received a message "Your connection is not private. NET::ERR_CERT_INVALID" from a third-party website.
• This message indicates a trustworthiness issue and is MOST likely because of a deauthentication attack.

Website Login Credentials

• The best way to provide website logins using existing third-party credentials is to store these credentials within the site's internal database.

Firewall Hardware Uptime

• Details about how often firewall hardware is expected to fail are called Mean Time Between Failures (MTBF).

Attacker's Phone Call Description

• An attacker pretended to be a company director to gain access, this is social engineering.

Formal Partnership Agreement Description

• A formal agreement between two companies to qualify their partnership is called an acceptable use policy.

Email Signature Justification

• Companies use digital signatures to ensure email integrity, authenticity, and confidentiality.

Embedded OS System Error Description

• An embedded operating system constantly rebooting due to a file system error is called "memory injection," potentially stemming from malicious code corruption on the machine.

Password Policy Issues and Corrections

• Current password policies lack restrictions on attempts and lack password change requirements.
• Password policy corrections are frequent password changes, and password limitations on attempts or errors.

Server Update Delays Response

• The best immediate response to servers not updated in a year and needing two weeks to deploy updates is to move the servers to a protected segment.

Business Management Steps Description

• Steps for responding to an Internet connection failure in the business process are called Continuity of Operations/Cold site recovery (and table top exercises are ways to practice for this contingency).

Data Center Employee Credential Examination

• The best way to examine credentials for data center building entry is to use authentication process, such as multi factor authentication (MFA).

Employee Information Encryption Strategy Description

• Storing some employee information in encrypted form, while other details remain unencrypted, is called "full-disk encryption" for stored data, but not all.

Database Corruption Minimization Strategy

• The best method to minimize database corruption if power is lost to a server is to do replication. This will duplicate the database to another server.

Corporate Mobile Device Security Policy Establishment

• To create a corporate mobile device security policy, policies should be created, or implemented to: Automatically lock devices after a predefined time period, Track the location of the device, and prevent user's information from being mixed with company information or data.

Monthly Vulnerability Scan Results Description

• A monthly vulnerability scan showing no vulnerabilities, while a known vulnerability was announced last week, means there is a false negative.

Security Event Automation Use Cases

• IT help desk automation of security events includes escalation, guard rails, continuous integration, and resource provisioning.

Wireless Network Authentication Configuration

• To authenticate users with their corporate credentials when using a company wireless network, 802.1x should be used.

VPN Service Posture Assessment

• A VPN service performing a posture assessment during login is a form of security testing and is a critical assessment.

Access Control Model Description

• Access control model used to assign individual rights and permissions to a file on a network drive is called a discretionary access control model.

Text Message Attack Description

• A user received a text message with a link for logging into a work schedule. The best description of this attack would be "smishing."

Company Policy Formalization Description

• The company process for formalizing the design and deployment processes for their applications is called "development lifecycle."

Incident Response Process Description

• Copying a suspected malware executable to a sandbox for analysis is part of the incident response process..

Bank Website Visitor Decrease with Possible Attack Description

• A decrease in bank website visitors, coupled with traffic being routed to a different IP address, suggests a deauthentication attack.

Password Policy Security Control

• The security policies lack the use of salt in password hashing. Salting is needed when implementing a password policy.

Server Vulnerability Issue Description

• A vulnerability that was patched previously surfacing again means it is an "end-of-life" vulnerability.

Disaster Recovery Process Description

• A simulated disaster to discuss logistics and processes of resolving the disaster is a disaster recovery exercise.

Security Access Control Method Description

• Blocking access to websites hosting malicious software in an organization can be accomplished with "DNS filtering".

Malware Infection Incident Response Steps

• When a system has a malware infection, the best response is to create "lessons learned".

Description

This quiz covers critical aspects of cybersecurity, including immediate responses to incidents, handling order processing during network failures, and strategies for employee data protection. Assess your knowledge on the role of third-party information gathering and mechanisms for email handling based on server authorization.