Comptia security pro CH9 incident response

As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints.

Which tool would you use?

SOAR

You need to limit the impact of a security breach for a particular file server with sensitive company data.

Which strategy would you employ?

Segmentation

You need to limit a compromised application from causing harm to other assets in your network.

Which strategy should you employ?

Isolation

You have detected and identified a security event. What is the first step you should complete?

containment

You would like to enhance your incident-response process and automate as much of it as possible.

Which of the following elements would you need to include? (Select two.)

runbook

playbook

An organization's computer incident response team (CIRT) receives an alert that shows possible malicious activity on a critical server within the network, and they initiate the CompTIA incident response process.

The team follows the incident response lifecycle to address the situation, which involves several key steps.

What order must the CIRT follow when performing the CompTIA incident response process?

Detection, analysis, containment, eradication, recovery

The leader of the cybersecurity team for a major e-commerce company recently encountered a major data breach that led to the exposure of customer payment details. The team has now contained the breach and is moving toward the final phase of the incident response cycle.

What is the team's primary objective in this phase?

Analyze the incident and improve procedures or systems

What is the BEST definition of a security incident?

Violation of a security policy

What is the primary goal of the containment phase of cybersecurity incident management during an incident response lifecycle? (Select two.)

Notify stakeholders and identify other reporting requirements

Limit the immediate impact of the incident while securing data and notifying stakeholders

The computer incident response team (CIRT) has informed the executives of a large financial institution of unusual network activity, indicating a potential breach.

Which phase of the incident response lifecycle involves investigating the reported unusual network activity to determine whether a genuine security incident has occurred and assessing the severity of the situation?

analysis

Which tool or concept used in cybersecurity monitoring gives a condensed overview of information from various data sources for daily incident response tasks?

Security Information and Event Management (SIEM) tools

As a cybersecurity analyst, you are tasked with improving the security posture of your organization. You are considering the implementation of a Security Information and Event Management (SIEM) system.

Which component of the SIEM system would be MOST critical for monitoring and securing network endpoints, services, and other vulnerable locations?

sensors

As a cybersecurity analyst, you are tasked with implementing a Security Information and Event Management (SIEM) system that allows the IT security team to effectively monitor and respond to events on the network in real-time.

Which component of the SIEM system would be MOST critical for this task?

SIEM Dashboards

As a cybersecurity analyst, you are tasked with identifying a critical component of a Security Information and Event Management (SIEM) system that can analyze and compare known malicious behavior against aggregated data from log files, system applications, and network appliances.

Which component of the SIEM system would be MOST effective for this task?

correlation

Which of the following components are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range?

alerts

You are a cybersecurity analyst investigating a potential data breach in your organization. You have identified a suspicious user who appears to have accessed sensitive information.

Which type of metadata would be MOST useful to determining the user's activities on your organization's internal web applications?

Web data

In the context of a syslog message, which of the following components is calculated from the facility and severity level?

PRI code

You are a cybersecurity analyst tasked with investigating a security incident.

You need to analyze network traffic data that normally goes to Syslog or SNMP, and you also need a tool that can address the need for a standardized protocol for internal protocol flows. Additionally, you need to collect data from routers, servers, and other network appliances.

Which tool would be BEST for you to use?

IPfix

What kind of metadata is usually linked with files and includes information like creation date, access history, and security permissions?

file metadata

Which of the following BEST describes the role of event metadata in network security?

It is the source and time of the event, which can include a host or network address, a process name, and categorization/priority fields.

As a digital forensic analyst, you have completed an investigation and are now tasked with creating a report summarizing your findings.

Which of the following principles should guide your report writing?

The evidence must not be changed or manipulated unless necessary. If it is changed or manipulated, the reasons why and process used must be recorded.

When conducting a cybersecurity investigation, how does recording the evidence acquisition process on video help to ensure the collected evidence's integrity?

Video recording proves the evidence originated directly from the crime scene

Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents.

Which tool would you use to gather this information?

legal hold

While investigating a potential cybercrime, a junior digital forensics specialist leaves an important hard drive in a public area overnight.

A senior digital forensics specialist finds the hard drive in the morning and says that it is no longer evidence in the case.

What made the hard drive unusable in court? (Select two.)

The forensics team did not maintain the chain of custody

The forensics team did not maintain the provenance of the hard drive

A lawyer is preparing a subpoena for an upcoming cybercrime case and is consulting with a digital forensics specialist.

The lawyer explains the need for the ability to parse through data quickly and provide a copy of everything found to the opposing counsel.

Which utility can accomplish these requests?

E-discovery

In cybersecurity investigations, why is it crucial to ensure the admissibility of digital evidence collected from computer systems?

Due process and the fair application of laws require proper handling of digital evidence.

You are a digital forensic analyst working on a high-profile case.

You have been given access to a variety of data sources, including dashboards, log data, and host operating system logs.

You need to determine the most effective way to gather evidence for your investigation.

Which of the following approaches would be the MOST effective?

Utilize all the data sources (dashboards, log data, and host operating system logs) to gather a comprehensive set of evidence.

A CEO asks the tech department to create a console that shows day-to-day incident response and summaries of information drawn from underlying data sources.

What can the tech department present to the CEO as a viable option?

dashboards

You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court.

Which type of document is this?

chain of custody

What is the MOST important element related to evidence in addition to the evidence itself?

Chain of custody document

An organization operates a large data center that supports critical business operations. Recently, the organization has struggled with frequent power interruptions leading to downtime and data loss.

To address this issue, the chief information security officer (CISO) decides to review the data center's resilience and recovery strategies, particularly emphasizing backup power.

To increase the resilience and recovery capabilities of the data center and ensure operations continue even during a power failure, which of the following options should the CISO consider? (Select two.)

Implement a UPS.

Deploy a dual power supply unit in each server

A data center manager is evaluating the resilience and recovery capabilities of a company's server room. The manager wants to ensure that in the event of power fluctuations or outages, the company's servers remain operational and maintain data integrity.

The manager focuses on the role of power distribution units (PDUs) and Uninterruptible Power Supplies (UPSs) in this context.

In enhancing the resilience and recovery capabilities of the server room against power interruptions, which primary function does the UPS provide to the servers that directly support this goal?

It provides temporary power during an outage, allowing for a graceful shutdown or transition to backup generators

A security consultant assesses a company's server room to determine how well it can maintain operations during power interruptions. The consultant evaluates the integration of power distribution units (PDUs) and backup power generators within the security architecture.

Considering the goal of ensuring resilience and recovery in the server room during power interruptions, which primary role does the backup power generator play in conjunction with the PDU?

It provides a prolonged source of power to the PDUs after the UPS system depletes its immediate resources

A growing e-commerce company wants to implement a strategy that evenly distributes incoming traffic across multiple servers without constantly monitoring server loads or making adjustments based on real-time conditions.

Which strategy should this company implement to manage load distribution in this manner?

Passive load balancing

A growing e-commerce company is considering various strategies to ensure its web servers can handle sudden traffic surges without an impact on site availability.

The company is assessing methods that distribute incoming traffic across multiple servers.

Which strategy should the company implement to dynamically allocate the load based on real-time traffic and server conditions?

Active load balancing

You have been asked to deploy a network solution that includes an alternate location where operational recovery is provided within minutes of a disaster.

Which of the following strategies would you choose?

hot site

To prevent server downtime, which of the following components should be installed in a server system redundantly?

Uninterrupted power supply

What is the primary function of the Common Address Redundancy Protocol (CARP) in a network?

To enable the active node to "own" the virtual IP and respond to connections

What is a primary function of application clustering in a network?

It allows servers in the cluster to communicate session information to one another.

What is a significant advantage of using an active/passive clustering configuration in a network?

The performance is not adversely affected during failover.

A large software development company is implementing a data protection strategy. The company heavily relies on virtual machines for their development and testing environments.

The primary concern is the ability to quickly recover and resume work in the event of a primary VM failure or corruption.

Which data protection method would be MOST suitable for this organization?

VM replication

A large multinational corporation is implementing a data protection strategy. The company has a complex IT environment with a mix of physical servers, virtual machines, and cloud-based services.

The primary concern is the ability to rapidly recover large datasets and applications in the event of a major system failure or data corruption.

Which type of snapshot would be MOST suitable for this organization?

Storage Area Network (SAN) snapshots

In the context of data protection and recovery, which of the following statements about replication is correct?

Replication involves creating and maintaining exact copies of data on different storage systems or locations.

A large multinational corporation is implementing a data protection strategy. The company has a complex IT environment with a mix of physical servers, virtual machines, and cloud-based services.

The primary concern is the ability to track and monitor data modifications and revert to previous states if necessary, especially in the event of local failures, natural disasters, or malicious attacks.

Which type of journaling would be MOST suitable for this organization?

Remote journaling

A large organization is implementing a data protection strategy and considering the use of snapshots. The company has a complex IT environment with a mix of physical servers, virtual machines, and cloud-based services.

The primary concern is the ability to recover individual files or previous versions of files in case of accidental deletion or data corruption.

Which type of snapshot would be MOST suitable for this organization?

Filesystem snapshots

You are the IT manager of a large corporation. Your company has been using a traditional backup method that backs up all data once per week.

However, with the growth of the company and the increase in data, this method is causing performance issues and proving insufficient. You are considering implementing an enterprise backup solution.

Which of the following factors should be your top priority when choosing a new backup solution?

The ability of the backup solution to minimize performance disruptions during backup operations.

You are the IT manager of a large corporation. Your company has been experiencing rapid growth, and the current backup techniques are proving insufficient to address the unique challenges and requirements of the organization.

You are tasked with implementing a new enterprise backup solution.

Which of the following would be the MOST effective approach?

Implement an enterprise backup solution that supports various environments and offers data deduplication and compression.

Which of the following statements about data deduplication is correct?

Data deduplication is a data compression technique that eliminates redundant data and optimizes storage space.

An enterprise seeks to optimize its backup storage space due to the increasing amounts of data it handles daily. The company wants to ensure it is not storing redundant copies of the same data, which consumes valuable storage resources.

Which technique should the company implement to solve this issue?

Data deduplication

You are the IT manager of a financial services firm. Your company deals with highly dynamic data and stringent regulatory mandates.

You are tasked with determining the optimal backup frequency for your company's data.

Which of the following factors should be your top priority when deciding on the backup frequency?

The volatility of the company's data