Human Resources (HR) would like executives to undergo only two specific security training programs a year. Which of the following provides the BEST level of security training for the executives? (Select TWO).
A. Acceptable use of social media
B. Data handling and disposal
C. Zero day exploits and viruses
D. Phishing threats and attacks
E. Clean desk and BYOD
F. Information security awareness
Correct Answer: DF
Managers/ i.e. executives in the company are concerned with more global issues in the organization, including enforcing security policies and procedures. Managers should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts and enforcement and how the various departments are affected by security policies. Phishing is a form of social engineering in which you ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. An email might look as if it is from a bank and contain some basic information, such as the user's name. Executives an easily fall prey to phishing if they are not trained to lookout for these attacks.
Incorrect Answers:
A: Acceptable use policies regarding how social media can be used within the organization is geared mainly are the employees to make them aware that attackers can solicit information/data from the company over instant messaging (IM) which is social media as easily as they can over email, and this can occur in Facebook, MySpace, or anywhere else that IM is possible
B: Data handling and disposal refers to the access of data to those users that need to access it and not more.
C: A Zero-day exploit occurs when a vulnerability/hole is found in a web-browser or other software by attackers and exploited immediately. The executives of a company are unlikely to be handling this type of attack.
E: A Clean Desk and BYOD policy training it best aimed at employees and to encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 338, 400
Question 462:
Sara, a company's security officer, often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Sara should immediately implement which of the following?
A. Acceptable Use Policy
B. Physical security controls
C. Technical controls
D. Security awareness training
Correct Answer: D
Security awareness and training include explaining policies, procedures, and current threats to both users and management. A security awareness and training program can do much to assist in your efforts to improve and maintain security. A good security awareness training program for the entire organization should cover the following areas: Importance of security; Responsibilities of people in the organization; Policies and procedures; Usage policies; Account and password-selection criteria as well as Social engineering prevention.
Incorrect Answers:
A: Companies generally have acceptable use policies regarding how computers can be used within the organization.
B: Physical security controls refers to actual physical barriers such as an external entrance to a building (perimeter), locked doors and entrance to the secure/ computer room itself. In this scenario the unauthorized personnel already have access codes to the cipher locks of secure areas.
C: Technical Controls are usually implements using technology such as firewalls, IDS, IPS, etc.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p p 399-404, 420
Question 463:
After a number of highly publicized and embarrassing customer data leaks as a result of social engineering attacks by phone, the Chief Information Officer (CIO) has decided user training will reduce the risk of another data leak. Which of the following would be MOST effective in reducing data leaks in this situation?
A. Information Security Awareness
B. Social Media and BYOD
C. Data Handling and Disposal
D. Acceptable Use of IT Systems
Correct Answer: A
Education and training with regard to Information Security Awareness will reduce the risk of data leaks and as such forms an integral part of Security Awareness. By employing social engineering data can be leaked by employees and only when company users are made aware of the methods of social engineering via Information Security Awareness Training, you can reduce the risk of data leaks.
Incorrect Answers:
B: Attackers can solicit information/data from the company over instant messaging (IM) which is social media as easily as they can over email, and this can occur in Facebook, MySpace, or anywhere else that IM is possible. As far as
employees bringing their own devices is concerned:
it can connect to the company's Wi Fi network.
C: Data handling and disposal refers to the access of data to those users that need to access it and not more and how YOU as the CIO handle the disposal of that data, it does not involve training users.
D: Acceptable use of IT systems refers to the usage of computers within the organization, not the leaking of data prevention.
The security officer is preparing a read-only USB stick with a document of important personal phone numbers, vendor contacts, an MD5 program, and other tools to provide to employees. At which of the following points in an incident should the officer instruct employees to use this information?
removal); Data breach; Damage and loss control. In this scenario the security officer is carrying out an incident response measure that will address and be of benefit to those in the vanguard, i.e. the employees and they are the first
responders.
Incorrect Answers:
A: A business impact analysis (BIA) is concerned with evaluating the processes in the likelihood of a loss. A business impact analysis is an integral part of Business continuity planning which is a management tool that ensures that critical business functions can be performed when normal business operations are disrupted. In this case the question refers to a process within the incident response plan being carried out by an incident response team member.
C: Damage and loss Control is a critical, but a security officer arming employees (those in the vanguard) with tools to mitigate risk when they encounter an incident seems more like a first responder phase in incident response procedures.
D: Contingency planning is not normally part of an incidence response policy.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 429, 432
Question 465:
Which of the following is the LEAST volatile when performing incident response procedures?
A. Registers
B. RAID cache
C. RAM
D. Hard drive
Correct Answer: D
An example of OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts. Of the options stated in the question the hard drive would be the least volatile.
Incorrect Answers:
A: The registers are part of the CPU cache and ranks quite high in OOV incident response procedure.
B: The RAID cache is more volatile than the RAM in an OOV incident response procedure.
C: A hard drive ranks lower than RAM in an OOV incident response procedure.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 453
Question 466:
In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO).
A. Take hashes
B. Begin the chain of custody paperwork
C. Take screen shots
D. Capture the system image
E. Decompile suspicious files
Correct Answer: AD
A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National Software Reference Library (NSRL). One of the purposes of the NSRL is to collect "known, traceable software applications" through their hash values and store them in a Reference Data Set (RDS). The RDS can then be used by law enforcement, government agencies, and businesses to determine which fi les are important as evidence in criminal investigations.
D: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.
Incorrect Answers:
B: Starting the chain of custody paperwork by the security administrator would be null and void since the evidence involved has already been removed from the scene and he would not know where it has been and who had in until it was given to him.
C: Taking screen shots may be too late since it is only the hard drives in question that were handed to the security administrator by the incident manager. We could assume that the incident manager probably already took screenshots.
E: Decompile suspicious files can only happen when the hard drives are mounted.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453-454
Question 467:
A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was extracted. Which of the following incident response procedures is best suited to restore the server?
A. Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup.
B. Keep the data partition, restore the OS from the most current backup and run a full system antivirus scan.
C. Format the storage and reinstall both the OS and the data from the most current backup.
D. Erase the storage, reinstall the OS from most current backup and only restore the data that was not compromised.
Correct Answer: A
Rootkits are software programs that have the ability to hide certain things from the operating system. With a rootkit, there may be a number of processes running on a system that do not show up in Task Manager or connections established or available that do not appear in a netstat display --the rootkit masks the presence of these items. The rootkit is able to do this by manipulating function calls to the operating system and filtering out information that would normally appear. Theoretically, rootkits could hide anywhere that there is enough memory to reside: video cards, PCI cards, and the like. The best way to handle this situation is to wipe the server and reinstall the operating system with the original installation disks and then restore the extracted data from your last known good backup. This way you can eradicate the rootkit and restore the data.
Incorrect Answers:
B: Keeping the data partition will not ensure that the rootkit is eradicated.
C: Formatting the storage is not guaranteed to eradicate the rootkit since a rootkit is capable of manipulating function calls to the operating system. And also reinstalling the OS and data from the most recent backup may result in reinstalling the rootkit.
D: Erasing the storage will not eradicate the rootkit. Furthermore you need to make use of the last known good backup and not the most current backup.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 301, 429
Question 468:
After a recent security breach, the network administrator has been tasked to update and backup all router and switch configurations. The security administrator has been tasked to enforce stricter security policies. All users were forced to undergo additional user awareness training. All of these actions are due to which of the following types of risk mitigation strategies?
A. Change management
B. Implementing policies to prevent data loss
C. User rights and permissions review
D. Lessons learned
Correct Answer: D
Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/ reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Described in the question is a situation where a security breach had occurred and its response which shows that lessons have been learned and used to put in place measures that will prevent any future security breaches of the same kind.
Incorrect Answers:
A: Change Management refers to the structured approach that is followed to secure a company's assets. Described in the question is a case of incident response. And incident response is but a part of change management.
B: Policies preventing data loss involves monitoring the contents of systems to make sure that key content is not deleted or removed. This is not the updating and backup of all router and switch configurations.
C: Audits usually address user rights and permission reviews which forms part of risk mitigation.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 10, 429
Question 469:
In which of the following steps of incident response does a team analyse the incident and determine steps to prevent a future occurrence?
A. Mitigation
B. Identification
C. Preparation
D. Lessons learned
Correct Answer: D
Incident response procedures involves in chronological order: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Thus lessons are only learned after the mitigation occurred. For only then can you `step back' and analyze the incident to prevent the same occurrence in future.
Incorrect Answers:
A: Mitigation is accomplished anytime that any steps has been taken to reduce risk.
B: When responding to an incident the identification of the incident is essential to know how to handle the incident and then take steps. This happens way before an incident is analyzed to determine which steps to take to prevent the same occurrence in future.
C: Preparation involves all the preventative measures that are taken to prevent any risk incident. This does not means that an incident already occurred as is alluded to in the question.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 429
Question 470:
Who should be contacted FIRST in the event of a security breach?
A. Forensics analysis team
B. Internal auditors
C. Incident response team
D. Software vendors
Correct Answer: C
A security breach is an incident and requires a response. The incident response team would be better equipped to deal with any incident insofar as all their procedures are concerned. Their procedures in addressing incidents are: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control.
Incorrect Answers:
A: A forensics analysis involves the evidence found in computers and on digital storage media and incident response encompasses forensics and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.
B: Internal auditing is part of the job description of the incident response team when they perform their documenting and recording of the costs involved addressing the incident.
D: Software vendors are only contacted when the incident response team deems it necessary. Thus the first contact in the event of a security breach is the incident response team.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 429, 446
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.