CompTIA Cybersecurity Analyst (CySA+) - Module 3: Cyber Incident
Response
Which of the following describes a rudimentary threat that would be picked up by an
anti-virus or IPS?
Known Threat
Unknown threat
Zero-day
...
CompTIA Cybersecurity Analyst (CySA+) - Module 3: Cyber Incident
Response
Which of the following describes a rudimentary threat that would be picked up by an
anti-virus or IPS?
Known Threat
Unknown threat
Zero-day threat
Advanced Persistent Threat -Answer- Known Threat
Which of the following describes a threat coming from a well trained attacker such as
another country?
Known Threat
Unknown threat
Zero-day threat
Advanced Persistent Threat -Answer- Advanced Persistent Threat
Which of the following describes a threat unknown to the local IT department but is
currently otherwise known?
Known Threat
Unknown threat
Zero-day threat
Advanced Persistent Threat -Answer- Unknown threat
Which of the following describes an threat with no known solution or fix?
Known Threat
Unknown threat
Zero-day threat
Advanced Persistent Threat -Answer- Zero-day threat
When considering the severity an incident and implementing various remedies to an
incident which of the following is the greatest limiter in implementing a security control?
Economic
Recovery Time
Scope
Data Integrity -Answer- Economic
What type of data would include information such as addresses full names and social
security numbers?
PIIPHI
PCI
IP -Answer- PII
What type of information would include card numbers CVV and pin?
PII
PHI
PCI
IP -Answer- PCI
When protecting your payment card information it should be noted you will never have
to distribute your pin number.
True
False -Answer- True
When determining the security of an incident the associated downtime is measure by
determining how long the system has been down thus far.
True
False -Answer- False
Which of the following can be found in a forensics toolkit? Choose all that apply.
Write blocker
Read blocker
Cameras
Zip ties -Answer- Write blocker & Cameras
Generally what is considered to be the minimal acceptable RAM on an enterprise
forensic workstation?
16GB
32GB
64GB
128GB -Answer- 32GB
A forensic workstation should not have access to the internet in order to prevent
compromising the sensitive data on the system.
True
False -Answer- True
Simply denying write permissions is adequate enough in ensuring a system is producing
valid evidence.True
False -Answer- False
Why are devices such as write blockers and forensic workstations utilized while
collecting evidence?
Efficient data retrieval
Due diligence
To maintain integrity of evidence
To guarantee enough evidence is collected -Answer- To maintain integrity of evidence
Which of the following will best guarantee that evidence will be preserved on a
machine?
Live acquisition
Shutting down the computer
Pulling the plug
Packet capture -Answer- Pulling the plug (Never do this!)
Which of the following will best capture the most possible evidence but might result in
changing data?
Live acquisition
Shutting down the computer
Pulling the plug
Packet capture -Answer- Live acquisition
Which of the following may compromise volatile storage but nor risk changing data?
Live acquisition
Shutting down the computer
Pulling the plug
Packet capture -Answer- Shutting down the computer
When performing a forensic analysis of a compromised machine it was discovered that
the analyst was unable to plug the hard drive directly into the forensic workstation. This
cause valuable time to be wasted. What device could have most likely solved this
problem?
Proper cables
Wiped removable media
Write blockers
Drive adapters -Answer- Drive adaptersWhen utilizing some for of removable media it is important to make sure the media is
completely clean to avoid compromising evidence.
True
False -Answer- True
How many points of entry is ideal at the scene of an incident?
One
Two
Three
Four -Answer- One
Utilizing a camera to take ongoing video of the scene of an incident is unreliable as the
holder may have shaky hands and extra audio can be distracting.
True
False -Answer- False
When should chain of custody be established?
Before an incident
Some time after an incident
After all evidence is collected
Immediately after an incident -Answer- Immediately after an incident
Which of the following hashing algorithms is commonly used to allow large amounts of
data to be quickly hashed?
MDA
MD5
SHA-1
SHA-2 -Answer- MDA
Where should hashed password be stored on a Linux system to best prevent user
access?
/shadow
/password
/SAM
/secure -Answer- /shadow
Which of the following stakeholders is concerned about employee rights and
employment laws?
HRLegal
Marketing
Management -Answer- HR
Which of the following stakeholders is concerned with local laws and industrial
regulations?
HR
Legal
Marketing
Management -Answer- Legal
Which of the following stakeholders is concerned with public relations and brand?
HR
Legal
Marketing
Management -Answer- Marketing
Which of the following stakeholders is considered to have the final say in incident
response?
HR
Legal
Marketing
Management -Answer- Management
Corporate VOIP devices would be considered out of band communication and safe to
use in case of an incident.
True
False -Answer- False
Local law enforcement should be informed in case of a severe incident that involves a
physical intrusion into a corporate premise.
True
False -Answer- True
Which of the following symptoms could be an indicator that an attacker has installed
malware on a legitimate system and is awaiting an external command?
Bandwidth consumption
Scan sweeps
Irregular Peer-to-peer communication
Beaconing -Answer- BeaconingWhich of the following symptoms could indicate that a system is maliciously scanning a
network?
Beaconing
Rogue access point installed
systematic communication over every port
Spikes in network traffic -Answer- systematic communication over every port
Beaconing while potentially malicious could be confused for which of the following types
of legitimate traffic?
[Show More]