Which of the following should a database administrator for an analytics firm implement to best protect PII from an insider threat?
Correct Answer:
C
Data auditing is the most essential and effective method to protect PII from an insider threat. Data auditing is the process of monitoring and recording the activities and events related to data access and usage. Data
auditing can help detect and prevent any suspicious or anomalous behavior by an insider threat who tries to
access or manipulate PII.
Data auditing can provide several benefits for data protection, such as:
It can provide accountability and transparency for data access and usage, which can deter potential insider threats from abusing their privileges or violating policies. It can provide evidence and traceability for data incidents, which can help investigate and respond to data breaches or leaks by insider threats. It can provide feedback and insights for data security improvement, which can help identify and address any gaps or weaknesses in data protection measures.
Data auditing can be done by using tools such as logs, alerts, reports, or dashboards. These tools can help security analysts track and analyze data activity and identify any patterns or anomalies that indicate a possible insider threat.
Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the best solution to improve the equipment's security posture?
Correct Answer:
B
Implementing an air gap for the legacy systems is the best solution to improve their security posture. An air gap is a physical separation of a system or network from any other system or network that may pose a threat. An air gap can prevent any unauthorized access or data transfer between the isolated system or network and the external environment. Implementing an air gap for the legacy systems can help to protect them from being exploited by attackers who may take advantage of their unpatched vulnerabilities .
An analyst needs to understand how an attacker compromised a server. Which of the following procedures will best deliver the information that is necessary to reconstruct the steps taken by the attacker?
Correct Answer:
B
The correct answer is B. Extract the server’s system timeline, verifying hashes and network connections during a certain time frame. A system timeline is a chronological record of the events and activities that occurred on a system, such as file creation, modification, or deletion, process execution, registry changes, or network connections. A system timeline can help an analyst to understand how an attacker compromised a server by showing the sequence of actions and artifacts left by the attacker. An analyst can also verify the hashes of the files and processes involved in the compromise and compare them with known malware
signatures or databases. Additionally, an analyst can check the network connections made by the server during the compromise and identify the source and destination IP addresses, ports, and protocols used by the attacker1.
Which of following allows Secure Boot to be enabled?
Correct Answer:
B
UEFI, or Unified Extensible Firmware Interface, is a specification that defines the software interface between an operating system and platform firmware. UEFI replaces the legacy BIOS (Basic Input/Output System) interface that was used to boot and configure computers. UEFI provides several advantages over BIOS, such as faster boot times, better security features, larger disk support, graphical user interface, etc. One of the security features that UEFI supports is Secure Boot, which is a mechanism that ensures that only authorized software can run during the boot process. Secure Boot prevents unauthorized or malicious code from loading or executing before the operating system starts. Secure Boot works by verifying the digital signature of each piece of boot software against a database of trusted keys stored in UEFI firmware. If the signature is valid, the software is allowed to run; otherwise, it is blocked or rejected.
An organization is adopting loT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far. leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?
Correct Answer:
A
Threat intelligence is a collection and analysis of information about current and emerging threats and vulnerabilities that affect an organization’s assets and operations. Threat intelligence can help to guide risk evaluation activities by providing context, prioritization and recommendations for mitigating firmware vulnerabilities. For example, threat intelligence can help to identify which firmware vulnerabilities are actively exploited in the wild, which ones have high severity or impact, and which ones have available patches or workarounds. Implementing critical updates after proper testing can help to ensure that the firmware updates are trusted, compatible and effective. Testing can help to verify the integrity and authenticity of the firmware updates, as well as their compatibility with the existing system configuration and functionality. Testing can also help to identify any issues or conflicts that may arise from applying the firmware updates and resolve them before deployment12.