Domain 7 Exam.
A minimum of 70% is required to pass.
#1. After a disaster has occurred, an impact assessment must be performed. Which of the following steps is the last one performed in an impact assessment?
〇:Declare the impact and consequences of the disaster.
The final step in the damage assessment is to declare the disaster. After the information from the damage assessment has been collected and evaluated, determine if the BCP actually needs to be activated. The BCP coordinator and team should determine the activation criteria before the disaster occurs.
×:Determine the cause of the disaster.
Determining the cause of the disaster is incorrect as it is the first step in the damage assessment process.
×:Identify resources that need to be replaced immediately.
Incorrect because identifying resources that need to be replaced immediately is not the last step in damage assessment.
×:Determine how long it will take to bring critical functions back online.
Incorrect because determining how long it will take to bring critical functions back online is the second-to-last step in damage assessment.
#2. Which of the following is NOT a phase of the Disaster Recovery Planning life cycle?
Disaster Recovery Planning includes the Mitigation, Preparedness, Response, and Recovery life cycles.
- Mitigation: Reduces the impact and likelihood of a disaster.
- Prepare: Create programs, procedures, and tools for response.
- Response: follow procedures and how to respond to a disaster.
- Recovery: re-establish basic functionality and return to a full production environment.
#3. Which of the following is most relevant in achieving the objective of securing all evidence and notating it as information to be presented to those who verify it?
〇:Control of the processing and distribution process
An important part of the digital forensic process is to maintain a proper chain of custody of evidence.
The question structure assumes Chain of Custody (Chain of Custody) from “the purpose of securing all evidence and notating it as information to be presented to those who verify it” and selects the one that comes closest to the definition.
×:Reasonable care
Wrong because reasonable care implies performing an activity that a reasonable person would be expected to perform under similar circumstances.
×:Investigation
Incorrect because investigation involves the proper collection of relevant data during the incident response process and includes analysis, interpretation, reaction, and recovery.
×:Motive, Opportunity, Means
Motive, Opportunity, and Means (MOM) is incorrect because it is a strategy used to understand why certain crimes were committed and by whom.
#4. Server cluster configurations are taken for critical applications, but what functions are achieved by this configuration?
Clustering is designed for fault tolerance. It is often combined with load balancing, but they are essentially separate. Clustering can make an operation active/active. On top of that, the load balancing feature handles traffic from multiple servers. Active/passive, on the other hand, has a designated primary active server and a secondary passive server, with the passive sending keep-alives or heartbeats every few seconds.
#5. RAID systems are available in a variety of methods that provide redundancy and performance. Which ones write data divided across multiple drives?
〇:Striping
RAID redundant arrays is a technology used for redundancy and performance. It combines multiple physical disks and aggregates them into a logical array; RAID appears as a single drive to applications and other devices. With striping, data is written to all drives. With this activity, data is split and written to multiple drives. Since multiple heads are reading and writing data at the same time, write and read performance is greatly improved.
×:Parity
Parity is used to reconstruct corrupted data.
×:Mirroring
Writing data to two drives at once is called mirroring.
×:Hot Swap
Hot swap refers to a type of disk found on most RAID systems. A RAID system with hot-swap disks allows the drives to be swapped out while the system is running. When a drive is swapped out or added, parity data is used to rebuild the data on the new disk that was just added.
#6. The operations team is responsible for ensuring that data is backed up at a regular frequency. Which of the following backs up files that have changed since the last time all data was backed up?
〇:Differential Backup
Backups can be taken in full, differential, or incremental. Most files are not changed daily to save very much time and resources, and it is better to develop a backup plan that does not back up for data that is not continually changing. In backup software, when a file is modified or created, the file system sets the archive bit and the backup software determines if that file should be backed up. A differential backup backs up files that have changed since the last full backup.
×:Incremental Backup
An incremental backup backs up all data that has changed since the last backup.
×:Full Backup
A full backup backs up the entire database or the entire system.
×:Partial Backup
Not in the backup category.
#7. Measuring the damage and recovery requirements by different indicators helps quantify the risk. which is correct about the RPO (Recovery Point Objective) and RTO (Recovery Time Objective)?
RPO (Recovery Point Objective) is the target value for recovering data at a point in the past when a failure occurs. When a failure occurs, the data currently handled is lost. The lost data must be recovered from backups, but it is important to know how far in the past the backups are from the current point in time.
RTO (Recovery Time Objective) is a target value that defines when the data should be recovered in the event of a failure. In the event of a failure, the service must not be unavailable indefinitely. Failure response procedures and disaster drills must be implemented to establish a target value for the time from the occurrence of a failure to the startup of service.
#8. Which RAID configuration always provides redundancy?
#9. John provides a weekly report to the manager outlining security incidents and mitigation procedures. If there is no incident information to put on the report, what action should he take?
〇:Send a report labeled “No output”.
If there is nothing to report (nothing to report), you need to make sure the manager is aware that the report has no information and is not only to be held accountable.
×:Send an email notifying the manager that there is nothing to report.
It is not appropriate to suddenly keep a record of the report by e-mail, since the report is normally scheduled to be reported in the operation. Realistically, wouldn’t you be more endearing to your manager if you communicated with him or her every step of the way? No, I am not asking you to do that.
×:Re-submit last week’s report and submit the date of last week’s report as this week’s date.
Delivering last week’s report does not express that nothing was reported this week.
×:Nothing.
You are required to report that nothing happened.
#10. Different levels of RAID determine the type of activity that occurs within a RAID system. Which level of RAID is associated with byte-level parity?
〇:RAID Level 3
RAID redundant arrays provide fault tolerance capability for hard drives and can improve system performance. Redundancy and speed are provided by splitting data and writing it to multiple disks, allowing different disk heads to operate simultaneously to retrieve requested information. At this time, recovery data is also created. This is called parity; if one disk fails, the parity data can be used to reconstruct the corrupted or lost information. Different levels of RAID systems experience different activities that provide fault tolerance or improved performance. RAID level 3 is a method that uses byte-level striping and dedicated parity disks.
×:RAID Level 0
Wrong because only striping occurs at level 0.
×:RAID Level 5
RAID 5 is incorrect because it uses block-level striping and interleaved parity on all disks.
×:RAID Level 10
Level 10 is incorrect because it is associated with striping and mirroring.
#11. Which of the following is a structured walk-through test in disaster recovery testing?
〇:Representatives from each department meet and undergo validation.
Structured walk-through testing allows functional personnel to review the plan as it is fulfilled to ensure its accuracy and validity.
×:Ensures that some systems will run at alternate sites.
This is incorrect because it describes parallel testing.
×:Send a copy of the disaster recovery plan to all departments to verify its completeness.
This is incorrect because it describes a checklist test.
×:Take down the normal operation system.
This is incorrect because it describes a full interruption test.
#12. Which of the following is not a common component as a step to change configuration management?
A structured change management process must be established to direct staff to make appropriate configuration changes. Standard procedures keep the process under control and ensure that it can be implemented in a predictable manner. Change management policies should include procedures for requesting changes, approving changes, documenting, testing and viewing changes, implementing, and reporting changes to management. The configuration management change control process is not typically associated with service level agreement approvals.
#13. Which formulas are used in a Business Impact Analysis (BIA) assessment?
#14. You are selecting a site for a new data center and offices. Which of the following is not a valid security concern?
Greenfield is undeveloped land that has not yet been built upon. The perspectives for selecting a site as a data center site include topography, utilities, and public safety.
- Topography refers to the physical shape of the landscape-hills, valleys, trees, streams.
- Utility refers to the degree to which power and internet in the area are reliable.
- Public safety is in terms of how high is the crime rate in the area and how close is the police force.
#15. As a security administrator, you are dealing with a virus infection. One day, your antivirus application detects that a file is infected with a dangerous virus. Disinfecting that file may damage the normal file contents themselves. What action should you take?
〇:Restore the virus unpatched file version from the backup media.
The best practice is to install an unpatched, uninfected version of the file from the backup media. It is important to restore files that are known to be clean, as attempts to remove the files may corrupt them. The most important thing is not to spread the impact, but attempting to unilaterally delete files may make them unavailable for later investigation.
×:Replace the file with the file saved the previous day.
The file saved the previous day may also contain the virus.
×:Delete the file and contact the vendor.
This is an incorrect answer because the condition of this question is that if the file is deleted, the normal file content itself may be damaged.
×:Back up the data and delete the file.
This is an incorrect answer because backing up the data that contains the virus and deleting the file does not result in a clean situation.
#16. Which of the following backup types does NOT clear the archive bit of the Windows system?
Archive bits are those that have been updated since the previous backup point in time. Full backups are full backups, so there is no need to be aware of where changes have occurred. Incremental backups also do not require awareness of change points because the backup portion is predetermined. Therefore, both clear the archive bit. However, differential backups do not clear the archive bit because only the changed part is known to be backed up.
#17. You are the security administrator for a large retail company. Their network has many different network devices and software appliances that generate logs and audit data. At one point, your staff is trying to determine if any suspicious activity is taking place in the network. However, reviewing all the log files is burdensome. Which of the following is the best solution for your company in this case?
〇:SIEM
Many organizations have implemented security event management systems, called Security Information and Event Management (SIEM) systems. They attempt to correlate log data collected from various devices (servers, firewalls, routers, etc.) and provide analysis capabilities. They also have solutions with networks (IDS, IPS, anti-malware, proxies, etc.) that collect logs in various proprietary formats that require centralization, standardization, and normalization. Therefore, the correct answer is SIEM.
×:Intrusion Detection System
Intrusion Detection System (IDS, Intrusion Detection System) is a mechanism that monitors the system and leads to passive actions. It does not have the ability to collect and analyze logs.
×:SOAR
SOAR (Security Orchestration, Automation and Response) is a technology that enables efficient monitoring, understanding, decision-making and action on security incidents. It may be fulfilled by SOAR through intrinsic cause analysis, but it is not a solution used for the purpose of identifying if suspicious activity is taking place in the network.
×:Event correlation tools
The term “event correlation tool” does not exist, but may be a feature of a SIEM.
#18. The change management process includes a variety of steps. Which of the following incorrectly describes a change management policy procedure?
〇:A change unanimously approved by the change control committee would be a step that does not require testing of the actual equipment.
This is a false choice question.
For different types of environmental changes, a structured change management process needs to be in place. Depending on the severity of the change requirement, the change and implementation may need to be presented to a change control committee. Change requests approved by the change control committee must be tested to discover any unintended consequences. This helps to demonstrate the purpose, consequences, and possible effects of the change in its various aspects. This means that just because a change has been approved by the change control board does not mean that it does not need to be tested. The change control board has mandated action on the change, and its appropriateness must be ensured by testing. Therefore, the correct answer is: “A change that is unanimously approved by the change control committee is a step that does not require testing on the actual equipment.” The result will be
×:Changes approved by the change control committee should be kept as a log of changes.
This is correct change management.
×:A rough schedule should be created during the planning phase of the change.
This is correct change management.
×:Proposed changes should be prioritized and reviewed.
This is correct change management.
#19. The team should be involved in the implementation of the business continuity plan. Which team is responsible for initiating recovery of the original site?
〇:Salvage Teams
The BCP coordinator should understand the needs of the company and the types of teams that need to be developed and trained. Employees should be assigned to specific teams based on their knowledge and skill sets. Named leaders, each team must have members and the ability to direct their activities. These team leaders will be responsible not only for ensuring that team goals are met, but also for interacting with each other to ensure that each team is operating properly. The salvage team is responsible for initiating recovery of the original site. They are also responsible for backing up data from the alternate site and restoring it within the new facility, carefully terminating any unforeseen operations, and ensuring equipment and personnel are transported to the new facility.
×:Damage Assessment Team
The Damage Assessment Team is incorrect because it is responsible for determining the extent and severity of damage.
×:BCP Team
Wrong because the BCP team is responsible for creating and maintaining a business continuity plan.
×:Recovery Team
Wrong because the Recovery Team is responsible for getting an alternate site to work and to keep the environment functioning.
#20. Which of the following adequately describes parallel testing in disaster recovery testing?
〇:Ensure that some systems are executed at the alternate site.
Parallel testing compares how some systems run at the alternate site and how the results are processed at the primary site. This is to assure that systems run at the alternate site and does not affect service productivity.
×:All departments will be sent a copy of the disaster recovery plan for completeness.
This alternative is incorrect because it describes a checklist test.
×:Representatives from each department meet to validate the plan.
This option is incorrect because it describes a structured walk-through test.
×:The normal operation system is taken down.
This option is incorrect because it describes a full interruption test.