Incident Response and Geofencing

Questions and Answers

What is the purpose of the analysis phase in incident response?

To contain the incident and minimize its impact

To implement security measures to prevent future attacks

To collect and examine evidence to understand the source of an incident (correct)

To communicate with external stakeholders about the incident

What is the next step after identifying vulnerabilities in a network during a vulnerability assessment?

Initiate a penetration test to validate security

Submit a report detailing the findings

Conduct an audit of user access

Rescan the network to check for remaining vulnerabilities (correct)

Which of the following best defines an insider threat?

A phishing scheme targeting employees' credentials

A security risk from within the organization with authorized access (correct)

A cyber attack from an external hacker

An external audit assessing organization security

In which part of the incident response process does the team assess the threat actor's motives and capabilities?

Analysis

Why is the analysis phase crucial in incident response planning?

It helps in formulating a recovery strategy.

What does containment refer to in the incident response process?

Preventing further damage from an ongoing incident

What is the primary goal of rescan after vulnerability remediation?

To ensure that all previously identified vulnerabilities have been fixed

Which of the following activities directly follows the detection of an incident?

Analysis to understand the source

What does tuning in a security context primarily refer to?

Modifying rules to exclude normal activity from detection

What could 10 consecutive failed login attempts on jsmith's account indicate?

A brute force attack is in progress

Why is it important to reset ismith's password after detecting multiple failed login attempts?

To prevent further unauthorized access to the account

What action should be taken when an attacker is detected trying to brute force an account?

Block the attacker's IP address

What is one of the best practices for mitigating risks from weather events to a server room?

Implementing geographic dispersion

Which of the following may NOT effectively prevent downtime from weather-related events?

Clustering servers tightly

What characteristic of a brute force attack is highlighted in the scenario?

It typically uses automated tools or scripts

Which action should be prioritized after a brute force attempt is detected?

Block the attacker's IP and enhance security settings

Which method is most suitable for displaying only the last four digits of a credit card number?

Masking

What type of malware is indicated by systems displaying a message with a '.ryk' file extension?

Ransomware

When developing a web application for reporting health emergencies, which aspect should be prioritized?

Availability

Which data security method transforms data into a different format and may prevent unauthorized access?

Encryption

What consequence does ransomware typically have on a user’s files?

Files are encrypted and a ransom is demanded

What does masking allow when dealing with sensitive credit card information?

Identification of cardholder while concealing full card number

Which characteristic defines the term 'availability' in the context of web applications?

The ability to remain operational and accessible at all times

Which of the following methods does NOT modify the original data format?

Masking

What is the primary purpose of social engineering in the context provided?

To manipulate individuals into revealing confidential information

What type of exercise is effective for organizations to enhance their incident response plans?

Tabletop exercise

Which protocol is used to check the revocation status of a certificate in real time?

OCSP

Why is OCSP preferred over CRLs for certificate validation?

It can provide real-time status checks

What role did the user play in the described social engineering scenario?

A proactive reporter who identified the scam

In the context of improving incident response, what can a tabletop exercise identify?

Communication and coordination gaps

What does OCSP stand for in network security?

Online Certificate Status Protocol

What does a successful social engineering attack typically rely on?

User compliance from trickery

Which type of security controls should allow access when a failure or error occurs?

Safety controls

What is the main purpose of safety controls in a data center?

To protect human life and physical assets

When security controls fail, which of the following should they do?

Always fail open to maintain operation

What is a characteristic of remote access points in terms of failure?

They should fail closed to maintain security

Which of the following is NOT an example of safety controls?

Logging control systems

In the context of data centers, what does failing closed typically aim to achieve?

Preventing unauthorized access during failures

Which of the following controls is primarily focused on operational availability during a crisis?

Safety controls

What happens to logging controls when they fail?

They should maintain a secure logging state

Study Notes

Incident Response Activities

• Analysis identifies the source of an incident by collecting evidence, determining root causes, assessing scope and impact, and understanding attacker motives.
• Following detection, analysis precedes containment, eradication, recovery, and lessons learned.

Vulnerability Management

• After a vulnerability assessment, rescanning the network is crucial to confirm that identified vulnerabilities have been remediated.

Insider Threats

• Activities such as unauthorized after-hours remote logins and transferring data to personal devices indicate an insider threat, originating from authorized personnel within the organization.

Brute Force Attacks

• Multiple failed login attempts in a short period suggest a brute force attack, characterized by attempts to guess a user's credentials using various combinations.

Data Protection Methods

• Masking is preferred for displaying only the last four digits of credit card numbers, preventing unauthorized access while allowing partial visibility.
• Ransomware, identifiable by file extensions like .ryk, encrypts files and demands ransom for decryption, affecting entire systems.

Application Availability

• In developing web applications for health emergencies, availability is paramount to ensure users can access services when needed.

Incident Response Exercises

• Tabletop exercises simulate incident response procedures, helping organizations identify weaknesses and improve communication and coordination.

Certificate Validation

• OCSP (Online Certificate Status Protocol) allows real-time validation of certificates' revocation status, offering a faster alternative to Certificate Revocation Lists (CRLs).

Safety Controls

• Safety controls, such as fire alarms and emergency exits, should fail open to protect human life during emergencies, allowing continued operation or access in case of failure.
• Other security controls, like remote access points and logical controls, should fail closed to prevent unauthorized access during errors.

Description

This quiz explores the relationship between geofencing and data sovereignty, as well as the incident response activities involved in understanding the source of incidents. Test your knowledge on the processes that help ensure compliance and protection for organizations. Ideal for those studying cybersecurity protocols.