Incident Response and Geofencing

Questions and Answers

What is the purpose of the analysis phase in incident response?

• To contain the incident and minimize its impact
• To implement security measures to prevent future attacks
• To collect and examine evidence to understand the source of an incident (correct)
• To communicate with external stakeholders about the incident

What is the next step after identifying vulnerabilities in a network during a vulnerability assessment?

• Initiate a penetration test to validate security
• Submit a report detailing the findings
• Conduct an audit of user access
• Rescan the network to check for remaining vulnerabilities (correct)

Which of the following best defines an insider threat?

• A phishing scheme targeting employees' credentials
• A security risk from within the organization with authorized access (correct)
• A cyber attack from an external hacker
• An external audit assessing organization security

In which part of the incident response process does the team assess the threat actor's motives and capabilities?

Analysis (D)

Why is the analysis phase crucial in incident response planning?

It helps in formulating a recovery strategy. (C)

What does containment refer to in the incident response process?

Preventing further damage from an ongoing incident (D)

What is the primary goal of rescan after vulnerability remediation?

To ensure that all previously identified vulnerabilities have been fixed (D)

Which of the following activities directly follows the detection of an incident?

Analysis to understand the source (A)

What does tuning in a security context primarily refer to?

Modifying rules to exclude normal activity from detection (C)

What could 10 consecutive failed login attempts on jsmith's account indicate?

A brute force attack is in progress (C)

Why is it important to reset ismith's password after detecting multiple failed login attempts?

To prevent further unauthorized access to the account (B)

What action should be taken when an attacker is detected trying to brute force an account?

Block the attacker's IP address (B)

What is one of the best practices for mitigating risks from weather events to a server room?

Implementing geographic dispersion (D)

Which of the following may NOT effectively prevent downtime from weather-related events?

Clustering servers tightly (C)

What characteristic of a brute force attack is highlighted in the scenario?

It typically uses automated tools or scripts (D)

Which action should be prioritized after a brute force attempt is detected?

Block the attacker's IP and enhance security settings (C)

Which method is most suitable for displaying only the last four digits of a credit card number?

Masking (D)

What type of malware is indicated by systems displaying a message with a '.ryk' file extension?

Ransomware (D)

When developing a web application for reporting health emergencies, which aspect should be prioritized?

Availability (B)

Which data security method transforms data into a different format and may prevent unauthorized access?

Encryption (A)

What consequence does ransomware typically have on a user’s files?

Files are encrypted and a ransom is demanded (B)

What does masking allow when dealing with sensitive credit card information?

Identification of cardholder while concealing full card number (D)

Which characteristic defines the term 'availability' in the context of web applications?

The ability to remain operational and accessible at all times (D)

Which of the following methods does NOT modify the original data format?

Masking (C)

What is the primary purpose of social engineering in the context provided?

To manipulate individuals into revealing confidential information (C)

What type of exercise is effective for organizations to enhance their incident response plans?

Tabletop exercise (B)

Which protocol is used to check the revocation status of a certificate in real time?

OCSP (B)

Why is OCSP preferred over CRLs for certificate validation?

It can provide real-time status checks (D)

What role did the user play in the described social engineering scenario?

A proactive reporter who identified the scam (A)

In the context of improving incident response, what can a tabletop exercise identify?

Communication and coordination gaps (B)

What does OCSP stand for in network security?

Online Certificate Status Protocol (C)

What does a successful social engineering attack typically rely on?

User compliance from trickery (A)

Which type of security controls should allow access when a failure or error occurs?

Safety controls (C)

What is the main purpose of safety controls in a data center?

To protect human life and physical assets (C)

When security controls fail, which of the following should they do?

Always fail open to maintain operation (D)

What is a characteristic of remote access points in terms of failure?

They should fail closed to maintain security (D)

Which of the following is NOT an example of safety controls?

Logging control systems (C)

In the context of data centers, what does failing closed typically aim to achieve?

Preventing unauthorized access during failures (D)

Which of the following controls is primarily focused on operational availability during a crisis?

Safety controls (D)

What happens to logging controls when they fail?

They should maintain a secure logging state (C)

Flashcards are hidden until you start studying

Study Notes

Incident Response Activities

• Analysis identifies the source of an incident by collecting evidence, determining root causes, assessing scope and impact, and understanding attacker motives.
• Following detection, analysis precedes containment, eradication, recovery, and lessons learned.

Vulnerability Management

• After a vulnerability assessment, rescanning the network is crucial to confirm that identified vulnerabilities have been remediated.

Insider Threats

• Activities such as unauthorized after-hours remote logins and transferring data to personal devices indicate an insider threat, originating from authorized personnel within the organization.

Brute Force Attacks

• Multiple failed login attempts in a short period suggest a brute force attack, characterized by attempts to guess a user's credentials using various combinations.

Data Protection Methods

• Masking is preferred for displaying only the last four digits of credit card numbers, preventing unauthorized access while allowing partial visibility.
• Ransomware, identifiable by file extensions like .ryk, encrypts files and demands ransom for decryption, affecting entire systems.

Application Availability

• In developing web applications for health emergencies, availability is paramount to ensure users can access services when needed.

Incident Response Exercises

• Tabletop exercises simulate incident response procedures, helping organizations identify weaknesses and improve communication and coordination.

Certificate Validation

• OCSP (Online Certificate Status Protocol) allows real-time validation of certificates' revocation status, offering a faster alternative to Certificate Revocation Lists (CRLs).

Safety Controls

• Safety controls, such as fire alarms and emergency exits, should fail open to protect human life during emergencies, allowing continued operation or access in case of failure.
• Other security controls, like remote access points and logical controls, should fail closed to prevent unauthorized access during errors.