An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place. Which of the following should be notified for lessons learned?
Correct Answer:
C
Lessons learned is a critical stage of incident response that involves evaluating the effectiveness of the response, identifying gaps and areas for improvement, and updating the incident response plan accordingly1.
Company leadership should be involved in this process to ensure they are aware of the incident, its impact, and the actions taken to prevent or mitigate future incidents. Additionally, company leadership can provide support and guidance for implementing the recommendations from the lessons learned session2.
A security administrator needs to provide access from partners to an Isolated laboratory network inside an organization that meets the following requirements:
• The partners' PCs must not connect directly to the laboratory network.
• The tools the partners need to access while on the laboratory network must be available to all partners
• The partners must be able to run analyses on the laboratory network, which may take hours to complete Which of the following capabilities will MOST likely meet the security objectives of the request?
Correct Answer:
D
A jump box is a system that is connected to two networks and acts as a gateway or intermediary between them 1. A jump box can help to isolate and secure a network by limiting the direct access to it from other networks.
A jump box can also help to monitor and audit the traffic and activity on the network. A VDI (Virtual Desktop
Infrastructure) is a technology that allows users to access virtual desktops that are hosted on a server2. A VDI can help to provide users with the necessary tools and applications for analysis without installing them on their own PCs. A VDI can also help to reduce the maintenance and management costs of the desktops. A VDI can operate in two modes: persistent and non-persistent. In persistent mode, each user has a dedicated virtual desktop that retains its settings and data across sessions. In non-persistent mode, each user has a temporary virtual desktop that is deleted or reset after each session3. In this scenario, deploying a jump box to allow access to the laboratory network and using VDI in non-persistent mode can meet the security objectives of the request. The jump box can prevent the partners’ PCs from connecting directly to the laboratory network and reduce the risk of unauthorized access or compromise. The VDI in non-persistent mode can provide the necessary tools for analysis without storing any data on the partners’ PCs or the virtual desktops. The VDI in non-persistent mode can also allow the partners to run long analyses without losing their progress or results. Deploying a firewall (B) may not be sufficient or effective, as a firewall only filters or blocks traffic based on rules and does not provide access or tools for analysis. Using VDI in persistent mode (A) © may not be secure or efficient, as persistent mode stores data on the virtual desktops that may be sensitive or confidential.
References: 1: https://www.techrepublic.com/article/jump-boxes-vs-firewalls/ 2:
https://www.techopedia.com/definition/26139/virtual-desktop-infrastructure-vdi 3: https://www.techopedia.com/definition/31686/resource-exhaustion
An email analysis system notifies a security analyst that the following message was quarantined and requires further review.
Which of the following actions should the security analyst take?
Correct Answer:
C
The email message that was quarantined and requires further review is an example of a phishing attempt that tries to trick the recipient into buying gift cards for a fake urgent request from a senior executive. The security analyst should delete the email and block the sender to prevent further attempts from reaching other users in the organization. Releasing the email for delivery, contacting a purchasing agent to expedite, or purchasing the gift cards and submitting an expense report are actions that would fall for the phishing attempt and result in financial loss or reputation damage for the organization. Reference:
https://www.csoonline.com/article/3444488/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent
Which of the following is a reason to use a nsk-based cybersecunty framework?
Correct Answer:
B
A risk-based cybersecurity framework is a set of guidelines and best practices that helps an organization identify, assess, prioritize, and mitigate cyber risks. By using a risk-based approach, an organization can allocate its resources more efficiently and effectively to address the most critical and likely cyber risks. A risk-based approach does not always require quantifying each cyber risk, nor is it driven by regulatory compliance or prioritizes vulnerability remediation by threat hunting. Reference: https://www.nist.gov/cyberframework/risk-management
An analyst is performing a BIA and needs to consider measures and metrics. Which of the following would help the analyst achieve this objective? (Select two).
Correct Answer:
DF
The objective of a BIA is to determine the potential impacts of various disruptions on the business processes and functions, and to establish the recovery priorities and objectives for each process and function. To achieve this objective, the analyst needs to consider various measures and metrics that can quantify the impacts and the recovery requirements. Some of the common measures and metrics that are used in a BIA are:
Maximum downtime before impact is unacceptable: This metric defines the maximum amount of time that a business process or function can be disrupted without causing significant or irreversible damage to the organization’s reputation, operations, finances, or legal obligations. This metric is also known as the maximum tolerable downtime (MTD) or maximum tolerable period of disruption (MTPD). It helps to determine the recovery time objective (RTO), which is the target time for restoring the process or function to an acceptable level of service after a disruption1. Total time accepted for business process outage: This metric defines the total amount of time that a business process or function can be out of service within a given period, such as a day, a week, or a month. This metric is also known as the recovery point objective (RPO), which is the maximum amount of data loss or corruption that can be tolerated after a disruption1. It helps to determine the backup frequency and retention policy for the data and systems that support the process or function. Time required to inform stakeholders about outage: This metric defines the time frame for communicating with the internal and external stakeholders who are affected by or involved in the disruption and recovery of a business process or function. This metric helps to establish the crisis communication plan and protocol, which specifies who, what, when, where, why, and how to communicate during and after a disruption2. It also helps to manage the expectations and perceptions of the stakeholders and to maintain their trust and confidence in the organization. Time to reimage the server: This metric defines the time needed to restore a server to its original or desired state after a disruption. This metric helps to estimate the resources and efforts required for recovering the server and its applications. It also helps to evaluate the feasibility and effectiveness of different recovery strategies, such as restoring from backup, rebuilding from scratch, or replacing with a spare3. Minimum data backup volume: This metric defines the minimum amount of data that needs to be backed up regularly to ensure the continuity and integrity of a business process or function. This metric helps to optimize the backup process and reduce the storage costs and bandwidth consumption. It also helps to identify the critical data elements and sources that are essential for the process or function4.