CompTIA CSA+ Study Guide. Mike Chapple
Чтение книги онлайн.
Читать онлайн книгу CompTIA CSA+ Study Guide - Mike Chapple страница 6
C. Internal view
D. External view
6 In early 2017, a flaw was discovered in the Chakra JavaScript scripting engine in Microsoft’s Edge browser that could allow remote execution or denial of service via a specifically crafted website. The CVSS 3.0 score for this reads
What is the attack vector and the impact to integrity based on this rating?
A. System, 9, 8
B. Browser, High
C. Network, High
D. None, High
7 Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this?
A. Verify that it is a false positive, and then document the exception
B. Implement a workaround
C. Update the vulnerability scanner
D. Use an authenticated scan, and then document the vulnerability
8 Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action?
A. Preparation
B. Detection and Analysis
C. Containment, Eradication, and Recovery
D. Post-Incident Activity and Reporting
9 Which of the following descriptions explains an integrity loss?
A. Systems were taken offline, resulting in a loss of business income.
B. Sensitive or proprietary information was changed or deleted.
C. Protected information was accessed or exfiltrated.
D. Sensitive personally identifiable information was accessed or exfiltrated.
10 Which of the following techniques is an example of active monitoring?
A. Ping
B. RMON
C. Netflows
D. A network tap
11 Ben’s monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?
A. Anomalous pings
B. Probing
C. Zombie chatter
D. Beaconing
12 Which of the following tools is not useful for monitoring memory usage in Linux?
A. df
B. top
C. ps
D. free
13 Which of the following tools cannot be used to make a forensic disk image?
A. xcopy
B. FTK
C. dd
D. EnCase
14 During a forensic investigation, Shelly is told to look for information in slack space on the drive. Where should she look, and what is she likely to find?
A. She should look at unallocated space, and she is likely to find file fragments from deleted files.
B. She should look at unused space where files were deleted, and she is likely to find complete files hidden there by the individual being investigated.
C. She should look in the space reserved on the drive for spare blocks, and she is likely to find complete files duplicated there.
D. She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files.
15 What type of system is used to contain an attacker to allow them to be monitored?
A. A white box
B. A sandbox
C. A network jail
D. A VLAN
16 Bob’s manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Bob’s best course of action?
A. Use an antivirus tool to remove any associated malware
B. Use an antimalware tool to completely scan and clean the system
C. Wipe and rebuild the system
D. Restore a recent backup
17 What level of secure media disposition as defined by NIST SP-800-88 is best suited to a hard drive from a high-security system that will be reused in the same company by an employee of a different level or job type?
A. Clear
B. Purge
C. Destroy
D. Reinstall
18 Which of the following actions is not a common activity during the recovery phase of an incident response process?
A. Reviewing accounts and adding new privileges
B. Validating that only authorized user accounts are on the systems
C. Verifying that all systems are logging properly
D. Performing vulnerability scans of all systems
19 A statement like “Windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?
A. Policies
B. Standards
C. Procedures
D. Guidelines
20 Jim
6
C. When reading the CVSS 3.0 score, AV is the attack vector. Here, N means network. Confidentiality (C), Integrity (I), and Availability (A) are listed at the end of the listing, and all three are rated as High in this CVSS rating.
7
A. When Alice encounters a false positive error in her scans, her first action should be to verify it. This may involve running a more in-depth scan like an authenticated scan, but could also involve getting assistance from system administrators, checking documentation, or other validation actions. Once she is done, she should document the exception so that it is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an authenticated scan might help but does not cover all of the possibilities for validation she may need to use.
8
C. The Containment, Eradication, and Recovery phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase.
9
B. Integrity breaches involve data being modified or deleted. Systems being taken offline is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches.
10
A. Active monitoring sends traffic like pings to remote devices as part of the monitoring process. RMON and netflows are both examples of router-based monitoring, whereas network taps allow passive monitoring.
11
D. Regular traffic from compromised systems to command and control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases.
12
C. The df command is used to show the amount of free and used disk space. Each of the other commands can show information about memory usage in Linux.
13
A. FTK, EnCase, and dd all provide options that support their use for forensic disk image creation. Since xcopy cannot create a bitwise image of a drive, it should not be used to create forensic images.
14
D. Slack space is the space left when a file is written. Since the space may have previously been filled by another file, file fragments are likely to exist and be recoverable. Unallocated space is space that has not been partitioned and could contain data, but looking there isn’t part of Shelly’s task. The reserved space maintained by drives for wear leveling (for SSDs) or to replace bad blocks (for spinning disks) may contain data, but again, this was not part of her task.
15
B. Sandboxes are used to isolate attackers, malicious code, and other untrusted applications. They allow defenders to monitor and study behavior in the sandbox without exposing systems or networks to potential attacks or compromise.
16
C. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn’t be detected as malicious software.
17
B. NIST SP 800-88 defines three levels of action of increasing severity: clear, purge, and destroy. In this case, purging, which uses technical means to make data infeasible to recover, is appropriate for a high-security device. Destruction might be preferable, but the reuse element of the question rules this out. Reinstallation is not an option in the NIST guidelines, and clearing is less secure.
18
A. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase.
19
B. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step-by-step process, and a guideline describes a best practice or recommendation.
20
D. The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to implement security and privacy controls for student educational records. HIPAA covers security and privacy for healthcare providers, health insurers, and health information clearinghouses; GLBA covers financial institutions; and SOX applies to financial records of publicly traded companies.