Incident Detection and Response Coursera Quiz Answers

Get All Weeks Incident Detection and Response Coursera Quiz Answers

Welcome to course seven, Incident Detection and Response. Having an intruder inside your systems for months unnoticed by your designs, administrators, security specialists, and end-users is tantamount to giving the intruder, the keys to your business or organization. In many cases, organizations discover that they have been subjected to a data breach when others tell them that their private data has been offered for sale on the dark web.

Many leading voices within the security profession state that we all must do better to detect intruders in our myths. Many people even say that detecting intruders should be the priority for security professionals. Ransomware attacks have become a big business involving not only large-scale extortion attacks but also the sale of ransomware attack tools and services, as well as the exploitation of any data ex-filtrated during the breach.

Enroll on Coursera

Week 01: Incident Detection and Response Coursera Quiz Answers

Knowledge Check: Monitoring Systems Quiz Answer

Q.1. Directions: Answer the following true/false questions to review monitoring system terminology.    True or False? Real-time monitoring provides a means for immediately identifying overt and covert events. (D3, L7.1)   

  • True
  • False

Q.2. True or False? Non-real-time monitoring is not considered useful in terms of incident detection and response. (D3, L7.1)   

  • True
  • False

Q.3. True or False? An IDS has the ability to stop certain types of activities. (D3, L7.1)   

  • True
  • False

Applied Scenario 1 Review: Access Controls and UEBA Quiz Answer

Q.1 Directions: Answer the following questions regarding IMI’s UEBA system. (D3, L7.1)  Match the five typical use cases associated with UEBA to their description.

Connected devices that might contain sensitive data, of which IMI has hundreds. Used in the design, manufacturing and transportation to customers.  

  • Data loss prevention
  • Entity analytics (IoT) devices
  • Incident prioritization
  • Compromised insiders
  • Malicious insiders

Q.2. A contractor or employee who, for whatever reason, has turned to the “dark side,” perhaps a disgruntled employee or a malicious actor placed within IMI. If these insiders also have privileged account access, the potential impact increases. 

  • Data loss prevention
  • Entity analytics (IoT) devices
  • Incident prioritization
  • Compromised insiders
  • Malicious insiders

Q.3. MI has always made use of these solutions to track suspicious network activities such as file access, data transfers and suspicious email usage. IMI has found that this method of tracking in particular results in extremely high volumes of alerts 

  • Data loss prevention
  • Entity analytics (IoT) devices
  • Incident prioritization
  • Compromised insiders
  • Malicious insiders

Q.4. It is not uncommon to see situations where an attack from outside the organization has been successful with the end result being that privileged accounts are compromised or low-level accounts have been compromised and elevated. What is less common is discovering this type of attack using more traditional security tools and techniques.

  • Data loss prevention
  • Entity analytics (IoT) devices
  • Incident prioritization
  • Compromised insiders
  • Malicious insiders

Q.5. SIEM solutions collect and aggregate information from a range of disparate devices to provide a central repository for analysis. The analytical element within UEBA helps to quickly identify and understand which events are the most suspicious and potentially the most harmful.   

  • Data loss prevention
  • Entity analytics (IoT) devices
  • Incident prioritization
  • Compromised insiders
  • Malicious insiders

Q.6. Based on the screen capture, what indicated the user John Johnson network, file and email activities are suspicious? 

  • A research file was accessed
  • The user logged in at 10:07 a.m.
  • Large files were sent to a personal email account 
  • The user does not have a company email 

Data Loss Prevention Quiz Answer

You are on a team of security professionals working for Any bank, and you have been tasked with implementing a DLP solution for them. You will be giving a presentation later in the week to discuss your implementation plan, and your team wants to make a good impression. The CISO has given you a list of questions to help you prepare for the meeting.   Directions: Answer the following questions regarding your DLP solution for the bank. (D3, L7.1) 

Q.1. Which of the following is an important step to implementing a DLP solution? 

  • Identify the types and locations of information the organization possesses. 
  • Classify data types by sensitivity and how that data enters, flows and exits the systems. 
  • Outline information relating to data repositories and transmission paths. 
  • All of these.

Q.2. Do specific policies need to be created? 

  • Yes
  • No

Q.3. Which mode of operation is best when first implementing a DLP solution, active or passive? 

  • Active
  • Passive

Q.4. What might a limitation be when considering DLP?   

  • Sensitive data would not be able to be copied without authorization.
  • There is visibility into where data is being stored, sent, etc.  
  • Encrypted files and/or traffic can’t be examined without first decrypting it. 
  • All of these.

Q.5. Which of these would be the most urgent signal or event for security personnel to respond to? (D3, L7.1) 

  • Precursors 
  • Indicators 
  • Indicators of compromise 
  • Event of interest 

Debrief Report Quiz Answer

Q.1. You are the security professional for an online retailer XYZ Online Ltd.  An incident occurred several days ago in which a fire broke out at one of the company’s distribution centers. The incident was dealt with and a debriefing with those involved has been carried out.  

Directions: Help complete the debrief report by matching the comment needed in the report to the correct party or issue presented in the debriefing. (D4, L7.2) 

Fire department took longer than expected to respond to the alarm activation or 911 (999) call.

  • Water (Identified by fire department)
  • Failure to declare (Identified by Health and Safety Executive, a UK government agency)
  • Hazard identification
  • Lack of information provided
  • Emergency service response time (Identified by XYZ Online)
  • Failure to update

Q.2. Fire hydrant access blocked, lack of water supplies, low water pressure

  • Water (Identified by fire department)
  • Failure to declare (Identified by Health and Safety Executive, a UK government agency)
  • Hazard identification
  • Lack of information provided
  • Emergency service response time (Identified by XYZ Online)
  • Failure to update

Q.3. Fire department called, middle and senior management not informed. General public not notified.

Water (Identified by fire department)

  • Failure to declare (Identified by Health and Safety Executive, a UK government agency)
  • Hazard identification
  • Lack of information provided
  • Emergency service response time (Identified by XYZ Online)
  • Failure to update

Q.4. This was potentially a major incident with wider reaching health and/or safety implications 

  • Water (Identified by fire department)
  • Failure to declare (Identified by Health and Safety Executive, a UK government agency)
  • Hazard identification
  • Lack of information provided
  • Emergency service response time (Identified by XYZ Online)
  • Failure to update

Q.5.Timely updates to all personal, regulatory bodies and the general public not issued.

  • Water (Identified by fire department)
  • Failure to declare (Identified by Health and Safety Executive, a UK government agency)
  • Hazard identification
  • Lack of information provided
  • Emergency service response time (Identified by XYZ Online)
  • Failure to update

Q.6. Batteries, chemicals, toxic substances, waste products.

  • Water (Identified by fire department)
  • Failure to declare (Identified by Health and Safety Executive, a UK government agency)
  • Hazard identification
  • Lack of information provided
  • Emergency service response time (Identified by XYZ Online)
  • Failure to update

Which statement best describes an adverse event?  (D4, L7.2) 

  • Adverse events are unplanned, possibly accidental occurrences that impact normal IT and OT operations, such as a server shutdown or corruption of data.
  • Adverse events may be unplanned and accidental disruptions to IT and OT operations or they may be part of an attack.
  • Adverse events are deliberate, hostile disruptions of IT and OT operations.
  • Adverse events are disruptions caused by external causes, such as bad weather, power or internet outages, or internal events such as a fire alarm being triggered. 

Activity 3: Forensic Investigations

You have been asked to assist the corporation’s cyber forensics team in a suspected case of identity theft. An investigation has been launched because customer account information, including names, addresses and payment card details, has been found on the dark web.  It is not clear whether the information may have been stolen by someone within the organization, whether there was an additional external element to the theft or if a data breach has indeed occurred.  Directions: Consider the scenario and answer the following questions: (D4, L7.3) 

Q.1. What might be the best way to try and establish the extent of the problem? 

  • Ask your supervisor 
  • Try searching the dark web for traces
  • Report that there is no evidence of a data breach
  • All of these

Q.2. You have completed the search and discovered that there has indeed been a major data breach. What might be your next step? 

  • Review the log data
  • Prepare a media/police report
  • Reset all company logins
  • None of these

Q.3. After examining the network activity log files, nothing springs out as an indicator of an external attack. However, looking at the UEBA logs you notice that one of your employees, Sasha Coen, is being flagged. She is accessing the customer accounts files at odd times, usually outside of her normal working hours. What would need to be examined? 

  • Sasha’s personal cellphone
  • Sasha’s home
  • Sasha’s work computer
  • All of these

Week 02: Incident Detection and Response Coursera Quiz Answers

Chapter 7 Quiz: Incident Detection and Response

This quiz will help you to confirm your understanding and retention of concepts for this chapter. Please complete it by answering all questions, reviewing correct answers and feedback, and revisiting any chapter material you feel you need extra time with.

Instructions

  1. This Assessment contains 10 objective item questions.
  2. Recommended time limit is 20 minutes, 2 minutes per question.
  3. Choose the best answer(s) for each question.
  4. You have unlimited attempts and may complete this assessment as many times as you would like.
  5. Passing grade for this quiz is 70%.
  6. Score of highest attempt will be calculated.

Your score and quiz report

  1. Each question carries 1 point.
  2. For each question, a 1/1 point indicates correct answer and 0/1 point indicates incorrect answer which you see upon quiz submission.
  3. Upon completion, you will be able to see your total number of attempts along with the score for each attempt.
  4. Your overall grade reflects the score of your highest attempt.
  5. Click on each attempt to view the completed quiz.

Q.1. What is the difference between a real and a virtual IRT?   (D4, L7.2)

  • Real IRTs meet in an incident response center, SOC or other facility; virtual ones meet in the cloud.
  • Virtual IRTs have permanently assigned members, who may or may not be called on as needed for any given incident; real IRTs are staffed from third-party service organizations.
  • Real IRTs are staffed by permanent employees or members of the organization, have designated work centers or locations and are trained and certified in incident response; virtual IRTs use volunteer or part-time talent, and their members may or may not be fully trained or certified.
  • There is no difference between a real and virtual IRT.

Q.2. Which of the following would not be acceptable in evidence collection?​ (D4, L7.3)

  • Collect “live” evidence first​
  • Use any forensic tool you are familiar with​
  • Create disk images
  • Use write blockers

Q.3. Incident response planning and procedures should include clearly defined internal communication channels that address which of the following? (D4, L7.2)

  • Escalation
  • End user advisories
  • Lessons learned and continued engagement updates
  • All of these

Q.4. Before a complete DLP solution can be introduced, you would need to consider all of the following except which one? (D3, L7.1)

  • Data in motion
  • Data by time
  • Data in use
  • Data in storage

Q.5. Which of the following is true regarding computer intrusions?  (D3, L7.1)

  • Covert attacks such as a distributed denial-of-service (DDoS) attack harm public opinion of an organization.
  • Overt attacks are easier to defend against because they can be readily identified.
  • Network intrusion detection systems (NIDSs) help mitigate computer intrusions by notifying personnel in real time.
  • Social engineering attacks are less effective than technical attacks.

Q.6. A security information and event management (SIEM) service performs which of the following functions?  (D3, L7.1)

  • Configures software for security policies and procedures
  • Aggregates logs from security devices and application servers looking for suspicious activity
  • Documents incident handling and communication
  • Matches user system authorization with physical access permissions

Q.7. With respect to network devices, servers, endpoints and other hosts, which of the following would be essential to support incident detection and characterization?  (D3, L7.1)

  • Using the same network time service (NTS)
  • Using the same brand and version of IDS, IPS and blocked/allowed behavior control tools
  • Using an IAAA
  • Having all devices protected by identity-based firewalls

Q.8. Which of the following statements about taking control of a scene is not correct? (D4, L7.3)

  • The controller must prevent anyone from entering the scene until the investigator has arrived.
  • Once evidence has been collected and removed, the person controlling the scene directs recovery efforts.
  • The person controlling the scene must ensure that no one can make changes to the scene and cannot take pictures, recordings or videos unless they enter beyond the chain of custody.
  • The person taking control of the scene ensures that the scene is protected from contamination or changes that might destroy evidence.

Q.9. Which of the following would not normally be a part of an all-source threat intelligence assessment? (D3, L7.1)

  • Social media such as Facebook or Twitter feeds
  • News and entertainment channels
  • Digital discovery orders

Q.10. Which tasks can SOAR systems do that SIEMs cannot? Select all that apply. (D4, L7.3)

  • Create and manage a secure evidence (custody) facility
  • Remotely manage the collection and collation of data from security appliances, devices, servers, endpoints and agents
  • Support user creation of workflows to direct and control the execution of routine and emergency tasks, such as data analysis or incident response
  • Remotely manage configuration settings for security appliances, devices, servers, endpoints and agents
Conclusion:

I hope this Incident Detection and Response Coursera Quiz Answers would be useful for you to learn something new from the Course. If it helped you, don’t forget to bookmark our site for more Quiz Answers.

This course is intended for audiences of all experiences who are interested in learning about new skills in a business context; there are no prerequisite courses.

Keep Learning!

Get All Course Quiz Answers of (ISC)² Systems Security Certified Practitioner (SSCP)

Introducing Security: Aligning Asset and Risk Management Quiz Answers

Risk Management: Use of Access Controls to Protect Assets Quiz Answers

Cryptography Coursera Quiz Answers

Securing Software, Data and End Points Coursera Quiz Answers

Networks and Communications Security Coursera Quiz Answers

Cloud and Wireless Security Coursera Quiz Answers

Incident Detection and Response Coursera Quiz Answers

Maturing Risk Management Coursera Quiz Answers

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!