CompTIA CSA+ Study Guide. Mike Chapple
13 Which of the following tools cannot be used to make a forensic disk image?
14 During a forensic investigation, Shelly is told to look for information in slack space on the drive. Where should she look, and what is she likely to find?
A. She should look at unallocated space, and she is likely to find file fragments from deleted files.
B. She should look at unused space where files were deleted, and she is likely to find complete files hidden there by the individual being investigated.
C. She should look in the space reserved on the drive for spare blocks, and she is likely to find complete files duplicated there.
D. She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files.
15 What type of system is used to contain an attacker to allow them to be monitored?
A. A white box
B. A sandbox
C. A network jail
D. A VLAN
16 Bob’s manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Bob’s best course of action?
A. Use an antivirus tool to remove any associated malware
B. Use an antimalware tool to completely scan and clean the system
C. Wipe and rebuild the system
D. Restore a recent backup
17 What level of secure media disposition as defined by NIST SP-800-88 is best suited to a hard drive from a high-security system that will be reused in the same company by an employee of a different level or job type?
18 Which of the following actions is not a common activity during the recovery phase of an incident response process?
A. Reviewing accounts and adding new privileges
B. Validating that only authorized user accounts are on the systems
C. Verifying that all systems are logging properly
D. Performing vulnerability scans of all systems
19 A statement like “Windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?
20 Jim is concerned with complying with the U.S. federal law covering student educational records. Which of the following laws is he attempting to comply with?
21 A fire suppression system is an example of what type of control?
22 Lauren is concerned that Danielle and Alex are conspiring to use their access to defraud their organization. What personnel control will allow Lauren to review their actions to find any issues?
A. Dual control
B. Separation of duties
C. Background checks
D. Cross training
23 Joe wants to implement an authentication protocol that is well suited to untrusted networks. Which of the following options is best suited to his needs in its default state?
24 Which software development life cycle model uses linear development concepts in an iterative, four-phase process?
Defending Against Cybersecurity Threats
Domain 1: Threat Management
✓ 1.3 Given a network-based threat, implement or recommend the appropriate response and countermeasure.
✓ 1.4 Explain the purpose of practices used to secure a corporate environment.
Cybersecurity analysts are responsible for protecting the confidentiality, integrity, and availability of information and information systems used by their organizations. Fulfilling this responsibility requires a commitment to a defense-in-depth approach to information security that uses multiple, overlapping security controls to achieve each cybersecurity objective. It also requires that analysts have a strong understanding of the threat environment facing their organization in order to develop a set of controls capable of rising to the occasion and answering those threats.
In the first section of this chapter, you will learn how to assess the cybersecurity threats facing your organization and determine the risk that they pose to the confidentiality, integrity, and availability of your operations. In the sections that follow, you will learn about some of the controls that you can put in place to secure networks and endpoints and evaluate the effectiveness of those controls over time.
When most people think of cybersecurity, they imagine hackers trying to break into an organization’s system and steal sensitive information, ranging from Social Security numbers and credit cards to top-secret military information. Although protecting sensitive information from unauthorized disclosure is certainly one element of a cybersecurity program, it is important to understand that cybersecurity actually has three complementary objectives, as shown in Figure 1.1.
Figure 1.1 The three key objectives of cybersecurity programs are confidentiality, integrity, and availability.
Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Cybersecurity professionals develop and implement security controls, including firewalls, access control lists, and encryption, to prevent unauthorized access to information. Attackers may seek to undermine confidentiality controls to achieve one of their goals: the unauthorized disclosure of sensitive information.
Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Integrity controls, such as hashing and integrity monitoring solutions, seek to enforce this requirement. Integrity threats may come from attackers seeking the alteration
A. FTK, EnCase, and dd all provide options that support their use for forensic disk image creation. Since xcopy cannot create a bitwise image of a drive, it should not be used to create forensic images.
D. Slack space is the space left when a file is written. Since the space may have previously been filled by another file, file fragments are likely to exist and be recoverable. Unallocated space is space that has not been partitioned and could contain data, but looking there isn’t part of Shelly’s task. The reserved space maintained by drives for wear leveling (for SSDs) or to replace bad blocks (for spinning disks) may contain data, but again, this was not part of her task.
B. Sandboxes are used to isolate attackers, malicious code, and other untrusted applications. They allow defenders to monitor and study behavior in the sandbox without exposing systems or networks to potential attacks or compromise.
C. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn’t be detected as malicious software.
B. NIST SP 800-88 defines three levels of action of increasing severity: clear, purge, and destroy. In this case, purging, which uses technical means to make data infeasible to recover, is appropriate for a high-security device. Destruction might be preferable, but the reuse element of the question rules this out. Reinstallation is not an option in the NIST guidelines, and clearing is less secure.
A. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase.
B. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step-by-step process, and a guideline describes a best practice or recommendation.
D. The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to implement security and privacy controls for student educational records. HIPAA covers security and privacy for healthcare providers, health insurers, and health information clearinghouses; GLBA covers financial institutions; and SOX applies to financial records of publicly traded companies.
B. Fire suppression systems are physical controls. Logical controls are technical controls that enforce confidentiality, integrity, and availability. Administrative controls are procedural controls, and operational controls are not a type of security control as used in security design.
B. Lauren should implement separation of duties in a way that ensures that Danielle and Alex cannot abuse their rights without a third party being involved. This will allow review of their actions and should result in any issues being discovered.
A. Kerberos is designed to run on untrusted networks and encrypts authentication traffic by default. LDAP and RADIUS can be encrypted but are not necessarily encrypted by default (and LDAP has limitations as an authentication mechanism). It is recommended that TACACS+ be run only on isolated administrative networks.
D. The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation.