Incident Detection and Response Coursera Quiz Answers

Get All Weeks Incident Detection and Response Coursera Quiz Answers

Week 01: Incident Detection and Response Coursera Quiz Answers

Knowledge Check: Monitoring Systems Quiz Answer

Q.1. Directions: Answer the following true/false questions to review monitoring system terminology.    True or False? Real-time monitoring provides a means for immediately identifying overt and covert events. (D3, L7.1)   

True
False

Q.2. True or False? Non-real-time monitoring is not considered useful in terms of incident detection and response. (D3, L7.1)   

True
False

Q.3. True or False? An IDS has the ability to stop certain types of activities. (D3, L7.1)   

True
False

Applied Scenario 1 Review: Access Controls and UEBA Quiz Answer

Q.1 Directions: Answer the following questions regarding IMI’s UEBA system. (D3, L7.1)  Match the five typical use cases associated with UEBA to their description.

Connected devices that might contain sensitive data, of which IMI has hundreds. Used in the design, manufacturing and transportation to customers.  

Data loss prevention
Entity analytics (IoT) devices
Incident prioritization
Compromised insiders
Malicious insiders

Q.2. A contractor or employee who, for whatever reason, has turned to the “dark side,” perhaps a disgruntled employee or a malicious actor placed within IMI. If these insiders also have privileged account access, the potential impact increases. 

Data loss prevention
Entity analytics (IoT) devices
Incident prioritization
Compromised insiders
Malicious insiders

Q.3. MI has always made use of these solutions to track suspicious network activities such as file access, data transfers and suspicious email usage. IMI has found that this method of tracking in particular results in extremely high volumes of alerts 

Data loss prevention
Entity analytics (IoT) devices
Incident prioritization
Compromised insiders
Malicious insiders

Q.4. It is not uncommon to see situations where an attack from outside the organization has been successful with the end result being that privileged accounts are compromised or low-level accounts have been compromised and elevated. What is less common is discovering this type of attack using more traditional security tools and techniques.

Data loss prevention
Entity analytics (IoT) devices
Incident prioritization
Compromised insiders
Malicious insiders

Q.5. SIEM solutions collect and aggregate information from a range of disparate devices to provide a central repository for analysis. The analytical element within UEBA helps to quickly identify and understand which events are the most suspicious and potentially the most harmful.   

Data loss prevention
Entity analytics (IoT) devices
Incident prioritization
Compromised insiders
Malicious insiders

Q.6. Based on the screen capture, what indicated the user John Johnson network, file and email activities are suspicious? 

A research file was accessed
The user logged in at 10:07 a.m.
Large files were sent to a personal email account 
The user does not have a company email

Data Loss Prevention Quiz Answer

You are on a team of security professionals working for Any bank, and you have been tasked with implementing a DLP solution for them. You will be giving a presentation later in the week to discuss your implementation plan, and your team wants to make a good impression. The CISO has given you a list of questions to help you prepare for the meeting.   Directions: Answer the following questions regarding your DLP solution for the bank. (D3, L7.1) 

Q.1. Which of the following is an important step to implementing a DLP solution? 

Identify the types and locations of information the organization possesses. 
Classify data types by sensitivity and how that data enters, flows and exits the systems. 
Outline information relating to data repositories and transmission paths. 
All of these.

Q.2. Do specific policies need to be created? 

Q.3. Which mode of operation is best when first implementing a DLP solution, active or passive? 

Active
Passive

Q.4. What might a limitation be when considering DLP?   

Sensitive data would not be able to be copied without authorization.
There is visibility into where data is being stored, sent, etc.  
Encrypted files and/or traffic can’t be examined without first decrypting it. 
All of these.

Q.5. Which of these would be the most urgent signal or event for security personnel to respond to? (D3, L7.1) 

Precursors 
Indicators 
Indicators of compromise 
Event of interest

Debrief Report Quiz Answer

Q.1. You are the security professional for an online retailer XYZ Online Ltd.  An incident occurred several days ago in which a fire broke out at one of the company’s distribution centers. The incident was dealt with and a debriefing with those involved has been carried out.  

Directions: Help complete the debrief report by matching the comment needed in the report to the correct party or issue presented in the debriefing. (D4, L7.2) 

Fire department took longer than expected to respond to the alarm activation or 911 (999) call.

Water (Identified by fire department)
Failure to declare (Identified by Health and Safety Executive, a UK government agency)
Hazard identification
Lack of information provided
Emergency service response time (Identified by XYZ Online)
Failure to update

Q.2. Fire hydrant access blocked, lack of water supplies, low water pressure

Water (Identified by fire department)
Failure to declare (Identified by Health and Safety Executive, a UK government agency)
Hazard identification
Lack of information provided
Emergency service response time (Identified by XYZ Online)
Failure to update

Q.3. Fire department called, middle and senior management not informed. General public not notified.

Water (Identified by fire department)

Failure to declare (Identified by Health and Safety Executive, a UK government agency)
Hazard identification
Lack of information provided
Emergency service response time (Identified by XYZ Online)
Failure to update

Q.4. This was potentially a major incident with wider reaching health and/or safety implications 

Water (Identified by fire department)
Failure to declare (Identified by Health and Safety Executive, a UK government agency)
Hazard identification
Lack of information provided
Emergency service response time (Identified by XYZ Online)
Failure to update

Q.5.Timely updates to all personal, regulatory bodies and the general public not issued.

Water (Identified by fire department)
Failure to declare (Identified by Health and Safety Executive, a UK government agency)
Hazard identification
Lack of information provided
Emergency service response time (Identified by XYZ Online)
Failure to update

Q.6. Batteries, chemicals, toxic substances, waste products.

Water (Identified by fire department)
Failure to declare (Identified by Health and Safety Executive, a UK government agency)
Hazard identification
Lack of information provided
Emergency service response time (Identified by XYZ Online)
Failure to update

Which statement best describes an adverse event?  (D4, L7.2) 

Adverse events are unplanned, possibly accidental occurrences that impact normal IT and OT operations, such as a server shutdown or corruption of data.
Adverse events may be unplanned and accidental disruptions to IT and OT operations or they may be part of an attack.
Adverse events are deliberate, hostile disruptions of IT and OT operations.
Adverse events are disruptions caused by external causes, such as bad weather, power or internet outages, or internal events such as a fire alarm being triggered.

Activity 3: Forensic Investigations

You have been asked to assist the corporation’s cyber forensics team in a suspected case of identity theft. An investigation has been launched because customer account information, including names, addresses and payment card details, has been found on the dark web.  It is not clear whether the information may have been stolen by someone within the organization, whether there was an additional external element to the theft or if a data breach has indeed occurred.  Directions: Consider the scenario and answer the following questions: (D4, L7.3) 

Q.1. What might be the best way to try and establish the extent of the problem? 

Ask your supervisor 
Try searching the dark web for traces
Report that there is no evidence of a data breach
All of these

Q.2. You have completed the search and discovered that there has indeed been a major data breach. What might be your next step? 

Review the log data
Prepare a media/police report
Reset all company logins
None of these

Q.3. After examining the network activity log files, nothing springs out as an indicator of an external attack. However, looking at the UEBA logs you notice that one of your employees, Sasha Coen, is being flagged. She is accessing the customer accounts files at odd times, usually outside of her normal working hours. What would need to be examined? 

Sasha’s personal cellphone
Sasha’s home
Sasha’s work computer
All of these

Week 02: Incident Detection and Response Coursera Quiz Answers

Chapter 7 Quiz: Incident Detection and Response

This quiz will help you to confirm your understanding and retention of concepts for this chapter. Please complete it by answering all questions, reviewing correct answers and feedback, and revisiting any chapter material you feel you need extra time with.

Instructions

This Assessment contains 10 objective item questions.
Recommended time limit is 20 minutes, 2 minutes per question.
Choose the best answer(s) for each question.
You have unlimited attempts and may complete this assessment as many times as you would like.
Passing grade for this quiz is 70%.
Score of highest attempt will be calculated.

Your score and quiz report

Each question carries 1 point.
For each question, a 1/1 point indicates correct answer and 0/1 point indicates incorrect answer which you see upon quiz submission.
Upon completion, you will be able to see your total number of attempts along with the score for each attempt.
Your overall grade reflects the score of your highest attempt.
Click on each attempt to view the completed quiz.

Q.1. What is the difference between a real and a virtual IRT?   (D4, L7.2)

Real IRTs meet in an incident response center, SOC or other facility; virtual ones meet in the cloud.
Virtual IRTs have permanently assigned members, who may or may not be called on as needed for any given incident; real IRTs are staffed from third-party service organizations.
Real IRTs are staffed by permanent employees or members of the organization, have designated work centers or locations and are trained and certified in incident response; virtual IRTs use volunteer or part-time talent, and their members may or may not be fully trained or certified.
There is no difference between a real and virtual IRT.

Q.2. Which of the following would not be acceptable in evidence collection? (D4, L7.3)

Collect “live” evidence first
Use any forensic tool you are familiar with
Create disk images
Use write blockers

Q.3. Incident response planning and procedures should include clearly defined internal communication channels that address which of the following? (D4, L7.2)

Escalation
End user advisories
Lessons learned and continued engagement updates
All of these

Q.4. Before a complete DLP solution can be introduced, you would need to consider all of the following except which one? (D3, L7.1)

Data in motion
Data by time
Data in use
Data in storage

Q.5. Which of the following is true regarding computer intrusions?  (D3, L7.1)

Covert attacks such as a distributed denial-of-service (DDoS) attack harm public opinion of an organization.
Overt attacks are easier to defend against because they can be readily identified.
Network intrusion detection systems (NIDSs) help mitigate computer intrusions by notifying personnel in real time.
Social engineering attacks are less effective than technical attacks.

Q.6. A security information and event management (SIEM) service performs which of the following functions?  (D3, L7.1)

Configures software for security policies and procedures
Aggregates logs from security devices and application servers looking for suspicious activity
Documents incident handling and communication
Matches user system authorization with physical access permissions

Q.7. With respect to network devices, servers, endpoints and other hosts, which of the following would be essential to support incident detection and characterization?  (D3, L7.1)

Using the same network time service (NTS)
Using the same brand and version of IDS, IPS and blocked/allowed behavior control tools
Using an IAAA
Having all devices protected by identity-based firewalls

Q.8. Which of the following statements about taking control of a scene is not correct? (D4, L7.3)

The controller must prevent anyone from entering the scene until the investigator has arrived.
Once evidence has been collected and removed, the person controlling the scene directs recovery efforts.
The person controlling the scene must ensure that no one can make changes to the scene and cannot take pictures, recordings or videos unless they enter beyond the chain of custody.
The person taking control of the scene ensures that the scene is protected from contamination or changes that might destroy evidence.

Q.9. Which of the following would not normally be a part of an all-source threat intelligence assessment? (D3, L7.1)

Social media such as Facebook or Twitter feeds
News and entertainment channels
Digital discovery orders

Q.10. Which tasks can SOAR systems do that SIEMs cannot? Select all that apply. (D4, L7.3)

Create and manage a secure evidence (custody) facility
Remotely manage the collection and collation of data from security appliances, devices, servers, endpoints and agents
Support user creation of workflows to direct and control the execution of routine and emergency tasks, such as data analysis or incident response
Remotely manage configuration settings for security appliances, devices, servers, endpoints and agents