Questions

  1. Which of the following is true about volatile data?
    1. The operating system time is not volatile because it is synchronized with other network devices using NTP.
    2. Network connections are volatile because the attacker's device is likely to be removed from the network on detection.
    3. Paging files are volatile because they are cleared when the process is ended.
    4. Network configuration is not volatile because addresses are burnt in or statically assigned.
  2. The CSIRT needs to send some of the failed hard drives to be destroyed. They choose to use a courier, but a road traffic accident leads to the hard drive containing the data being lost in transit
    Which of the following is the best characterization of this new incident?
    1. Asset: M - Disk Drive | Actor: Partner | Action: Error, Physical accidents
    2. Asset: M - Disk Drive | Actor: Partner | Action: Error, Loss
    3. Asset: M - Disk Drive | Actor: External | Action: Physical, Theft
    4. Asset: M - Disk Drive | Actor: External | Action: Error, Disposal Error

The following four questions relate to the following scenario. Further information is given in the individual questions if required.
An employee reports that their vehicle was stolen over the weekend, and their corporate laptop was among the items that was in their car:

  1. What is the best characterization of the affected attributes in this incident?
    1. Attribute: Confidentiality, Availability
    2. Attribute: Confidentiality, Integrity
    3. Attribute: Confidentiality only
    4. Attribute: Integrity, Availability
  2. The security team notices that the device connected via the VPN yesterday (after the vehicle is meant to have been stolen). A number of emails were accessed. The employee says that their diary might also have been in the car. The user's passwords were written on the back page, but fortunately the diary is otherwise brand new.

Which of the following additions to the attributes section would be expected?

    1. Confidentiality: .DataDisclosure: Yes/.Data.Variety: Personal and Credentials
    2. Confidentiality: .DataDisclosure: Yes/.Data.Variety: Personal and Internal
    3. Confidentiality: .DataDisclosure: Yes/.Data.Variety: Internal and Secrets
    4. Confidentiality: .DataDisclosure: Yes/.Data.Variety: Credentials and Internal
  1. The security team has changed the employee's passwords, and are able to remotely wipe the laptop next time it connects to the internet. Once this happens, what phase will the incident handling team be in?
    1. Containment
    2. Remediation
    3. Hardening
    4. Reporting
  2. Some time later, the police have contacted the team to inform them that an individual has been arrested and charged with vehicle theft. The company laptop has been recovered. What is the likely value of the laptop to the organization?
    1. There is no evidential value remaining on the laptop.
    2. There may still be forensic evidence to trace the threat actor.
    3. Any volatile evidence will be gone, but old files are still available.
    4. Evidence on the hard disk might reveal any of the thief's use while offline.

The following four questions relate to the following scenario. Further information is given in the individual questions if required.

An organization's CSIRT is assembled after reports that a dump of customer data has appeared online. The CSIRT examines the logs, and it appears that a former employee accessed a number of non-public records and subsequently sent large encrypted files out of the company after they had been given notice of termination last week.
The customer data appears to include usernames and partially masked passwords, as well as truncated credit card numbers:

  1. What actor details would be reported under VERIS?
    1. Actor: External: .Motive: NA/.Variety: Former employee
    2. Actor: External: .Motive: Grudge/.Variety: Former employee
    3. Actor: Internal: .Motive: NA/.Variety: End-User
    4. Actor: Internal: .Motive: Grudge/.Variety: End-User
  2. Which attribute(s) have been affected in this incident?
    1. Confidentiality only
    2. Confidentiality and Availability
    3. Integrity and Availability
    4. Integrity only
  3. Which of the following remedial actions should be considered by the organization?
    1. Informing card issuers to block credit card numbers
    2. Ensuring that user accounts are disabled immediately on termination of employment
    3. Ensuring that any encrypted files can be decrypted and inspected before exiting the system
    4. Communication with customers, advising them to change passwords
  4. Which of the following items would be the highest priority for evidence collection?
    1. Running processes
    2. Network traffic logs
    3. Encrypted files from the TCP stream
    4. Contents of memory
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.116.14.118