Chapters 102โ107 Practice Exam
Time remaining
25:00
Part A โ Multiple Choice (Questions 1โ20)
Ch 102 ยท Incident Planning
Question 1 of 20
A security team hypothesizes that an APT group is using Living-off-the-Land techniques โ abusing built-in Windows tools such as PowerShell and WMI โ to move laterally without triggering signature-based alerts. The team searches SIEM and EDR telemetry for these behavioral patterns for two weeks and finds no evidence of the technique. What type of security activity is this, and what value does it produce even without finding a compromise?
โ
A โ Threat hunting. Threat hunting is a proactive discipline where analysts search for evidence of compromise or attacker techniques that have not triggered any alert. It is hypothesis-driven: the analyst formulates a hypothesis (APT using PowerShell LOLBins) then searches telemetry for behavioral patterns matching the technique. A hunt that finds nothing still produces three types of value: (1) confirmation the hypothesized technique is not present in the examined data for the examined period; (2) the search logic can become an automated detection rule; (3) analysts build a more detailed understanding of what normal behavior looks like. Threat intelligence is reactive โ it detects known indicators already identified as malicious. Hunting is proactive โ it searches for unknown compromise before any indicator fires.
Ch 102 ยท Incident Planning
Question 2 of 20
The IR team and department managers gather for a two-hour meeting to verbally walk through how they would respond if ransomware encrypted the primary file servers. No systems are touched; the team discusses decision points and escalation paths. Afterward, the CISO notes the exercise was valuable for communication but that several participants expressed uncertainty about whether the backup restoration tool actually works with current server configurations. What type of exercise was conducted, and what gap does the CISO's observation reveal?
โ
B โ Tabletop exercise. A tabletop exercise is a structured discussion where participants verbally walk through scenario response decisions without touching live systems. It tests plans, communication, roles, and decision-making. Its primary limitation โ which the CISO's observation directly illustrates โ is that technical execution gaps are invisible. The team verbally agrees they would restore from backup, but whether the backup tool actually works with current server configurations is unknown until someone runs it. Simulations use live or test systems and reveal technical gaps. Tabletops are lower-cost and appropriate for testing plans and communications; simulations are higher-cost but test actual technical execution capability. Both are necessary; tabletops alone leave technical gaps untested.
Ch 102 ยท Incident Planning
Question 3 of 20
A post-incident investigation identifies three contributing factors: (1) an unpatched vulnerability in a public web server that was exploited; (2) a WAF rule misconfiguration that failed to block the payload; (3) a SIEM alert for the initial exploitation that was acknowledged and closed without investigation due to analyst workload. After patching the vulnerability, the IR team marks the root cause analysis complete. Which principle of effective root cause analysis was violated?
โ
C โ RCA must address all contributing causes. Effective root cause analysis identifies and addresses all root causes, not just the most technically convenient one. The investigation identified three independent contributing factors. A future attack could succeed through the WAF misconfiguration alone (without exploiting the now-patched CVE), or through a different alert that is again closed without investigation. Patching one vulnerability does not close the other two attack paths. The team's error is treating the proximate cause (the specific CVE) as the only cause when two systemic failures โ a misconfigured defensive control and an alert handling process failure โ remain unresolved. RCA findings must map to remediation actions for every identified contributing factor.
Ch 103 ยท Digital Forensics
Question 4 of 20
A forensic investigator arrives at a running workstation suspected of compromise. Evidence to collect includes: RAM contents, a full disk image, browser history, and firmware. The investigator plans to acquire the disk image first because it is the largest and most complete source of evidence. What is the critical flaw in this collection plan?
โ
D โ Collect most volatile to least volatile. RFC 3227 and forensic best practice establish that evidence must be collected in order of volatility โ from the most ephemeral to the most persistent. RAM is the most volatile: its entire contents are permanently and irreversibly lost the moment the system is powered off or rebooted. RAM contains running processes, injected malicious code, encryption keys held in memory, active network connection state, and credentials โ evidence unavailable anywhere else. Disk images, browser history stored on disk, and firmware all persist without power. Collecting the disk image first means that if the system is rebooted during the lengthy disk acquisition process (which can take hours), all RAM content is lost. The correct order is RAM โ firmware โ disk image โ disk-resident artifacts like browser history.
Ch 103 ยท Digital Forensics
Question 5 of 20
A company's general counsel sends an internal directive to the IT department after learning the company may be named as a defendant in a data breach lawsuit. The directive instructs IT to preserve all emails, access logs, and incident reports related to the breach โ and specifically to suspend all automated log rotation and deletion scripts that would otherwise purge this data. What is this directive called, what legal risk does non-compliance create, and who has authority to initiate it?
โ
A โ Legal hold. A legal hold (also called a litigation hold) is a directive issued by legal counsel that suspends all normal data deletion and modification procedures for data relevant to anticipated or actual litigation. Legal counsel โ not IT, not security, not compliance โ has the authority and responsibility to initiate a legal hold because it is a legal determination. The consequences of non-compliance are severe: destroying or failing to preserve relevant evidence after a legal hold is issued constitutes spoliation. Courts can impose adverse inference instructions (instructing the jury to assume the destroyed evidence was damaging), default judgments, financial sanctions, or dismissal of claims. Automated log rotation scripts are a primary concern because they continue deleting without human action unless explicitly suspended.
Ch 103 ยท Digital Forensics
Question 6 of 20
A forensic analyst images a suspect hard drive, computes the SHA-256 hash of both the original drive and the forensic image, confirms they match, seals the original in a tamper-evident evidence bag, and works exclusively from the image copy. Before testifying six months later, the analyst recomputes the hash of the stored forensic image and finds it matches the value recorded at collection time. What does this hash documentation prove, and why is it specifically required for chain of custody in legal proceedings?
โ
B โ Hash proves evidence integrity for chain of custody. Cryptographic hashes (SHA-256 produces a 256-bit mathematical fingerprint) have the property that any modification to the data โ even changing a single bit โ produces a completely different hash value. Computing the hash at acquisition time and recomputing it before court proceedings proves with mathematical certainty that the evidence was not modified in between. Chain of custody requires this proof because opposing counsel can otherwise argue the evidence was tampered with during storage or transport, rendering it inadmissible. The hash does not indicate whether files are malicious or encrypted โ it only proves data integrity. This is why hash values are recorded in the chain of custody log alongside every transfer and handling event.
Ch 104 ยท Log Data
Question 7 of 20
An organization's acceptable use policy prohibits employee access to social media during business hours. The network team configures the perimeter firewall to block outbound connections to known social media IP ranges on ports 80 and 443. Employees begin accessing social media through HTTPS connections that the firewall does not block โ the traffic appears identical to legitimate business web browsing on port 443. Which firewall capability would correctly identify and block the social media application regardless of port or IP range?
โ
C โ NGFW application identification. Traditional (stateful) firewalls enforce policy based on port numbers and IP addresses โ Layer 3/4 attributes. Applications that use non-standard ports or standard ports (like port 443) to blend in with legitimate traffic bypass port-based rules. Next-generation firewalls add Layer 7 application identification: they inspect the actual traffic characteristics, flow patterns, and session behavior to determine which application is generating the traffic, independent of port. Social media applications on port 443 look like HTTPS to a traditional firewall but are correctly identified as Facebook, Instagram, etc., by an NGFW. DNS sinkholing is an alternative approach but requires accurate domain lists and is bypassed by direct IP connections. NGFW application identification is the most comprehensive solution.
Ch 104 ยท Log Data
Question 8 of 20
A SIEM correlation rule generates an alert: "User account jsmith@company.com authenticated successfully from Chicago, IL at 10:00 AM EST, then authenticated successfully from Singapore at 10:17 AM EST." The account has no VPN service enabled, there is no shared account policy, and no travel was authorized. What is this type of detection called, and what does it most likely indicate?
โ
D โ Impossible travel detection. Impossible travel detection is a SIEM correlation technique that cross-references the physical locations of authentication events with the time elapsed between them. If a human being cannot physically travel between two authenticated locations in the time between authentications, it is physically impossible for both authentications to be the same legitimate user. Chicago to Singapore is approximately 9,000 miles โ impossible to traverse in 17 minutes. This strongly indicates credential compromise: either the attacker is using stolen credentials from Singapore while the legitimate user authenticated from Chicago, or both sessions belong to the attacker using the account from different infrastructure. This type of detection requires correlating identity logs with geolocation data โ a cross-source SIEM correlation that no single log source could produce alone.
Ch 104 ยท Log Data
Question 9 of 20
During a malware investigation, an analyst suspects that an infected server is exfiltrating data by encoding it within DNS query strings โ sending data out disguised as unusually long DNS lookup requests to a domain the attacker controls. The analyst needs to see the exact content of each DNS packet: the full query strings, record types, and response data. Which data source provides this level of payload detail?
โ
A โ Packet capture (pcap). Packet captures are the only log source that captures the complete byte content of every packet including the payload. For DNS analysis, pcap shows: the exact query string (revealing encoded data), DNS record type requested, the authoritative server queried, and the response content. This is the data needed to confirm DNS tunneling and reverse-engineer the encoding scheme. SIEM correlation can flag anomalous DNS patterns (high query frequency, unusually long query strings, low-TTL responses) but cannot show individual packet payload. DNS server logs capture query names and responses but may not be available for queries that go to external resolvers. NetFlow captures metadata (source/destination, bytes, protocol) without any payload content โ it can indicate DNS traffic volume anomalies but not the query content.
Ch 105 ยท Security Policies
Question 10 of 20
An organization's business continuity plan specifies that if the primary payment processing system becomes unavailable, staff should process customer transactions using paper authorization forms stored in the finance office supply room. During an actual system outage, staff cannot locate any paper forms, and the forms eventually found are three years out of date with fields that no longer match current transaction requirements. What BCP requirement did the organization fail to meet?
โ
B โ BCPs must be tested and updated regularly. A business continuity plan is only as reliable as its last test. Writing down a procedure does not verify that it works. The discovered gaps โ unknown form location, outdated form versions โ are classic consequences of a plan that was documented but never exercised. Testing reveals: locations of supplies staff have forgotten, forms that have changed since the plan was written, procedures staff do not know how to execute, and dependencies that have changed. Regular testing also drives updates when operational reality changes (new form versions, reorganized supply rooms, staff turnover). An untested BCP is a set of untested assumptions. The test should have uncovered these gaps before an actual outage forced the discovery under pressure.
Ch 105 ยท Security Policies
Question 11 of 20
A financial services firm requires a maximum tolerable downtime of 4 hours for its loan processing system. Its disaster recovery plan directs IT to fail over to a secondary data center with hardware pre-installed and configured, database backups replicated every 30 minutes to the secondary site, and an estimated 2-hour restoration time to load the most recent backup and bring systems online. What type of recovery site is the secondary location, and why is it appropriate for a 4-hour RTO?
โ
C โ Warm site. A warm site has pre-installed hardware and software that mirrors the primary environment configuration, but relies on periodic (not real-time) data replication. Recovery requires loading the most recent backup to get data current, typically taking 1โ4 hours. This matches the scenario: pre-installed hardware + 30-minute backup replication + 2-hour restoration time = failover achievable within the 4-hour RTO. A hot site has real-time synchronous mirroring and can resume in minutes โ it would exceed the requirement at higher cost. A cold site provides only space and power; hardware procurement and setup take days to weeks, making it incompatible with a 4-hour RTO. Warm sites balance cost (cheaper than hot) against recovery time (longer than hot) and are the appropriate choice when RTO requirements are measured in hours, not minutes.
Ch 105 ยท Security Policies
Question 12 of 20
A company discovers that an IT contractor has been using company servers to mine cryptocurrency for personal profit over the past two months. Legal counsel investigates potential liability and discipline options. The investigation reveals the contractor received system access and a security orientation briefing but was never presented with or asked to acknowledge the company's acceptable use policy. What is the primary legal implication of this gap?
โ
D โ AUP acknowledgment creates documented notice. The acceptable use policy serves two purposes: it defines prohibited behaviors AND it documents that each user received notice of those prohibitions. When an employee or contractor acknowledges the AUP (typically by signature or digital acknowledgment), the organization has a record proving the person knew the conduct was prohibited. Without this documentation, the contractor can argue they did not know cryptocurrency mining was prohibited โ "no one told me I couldn't." This weakens both civil liability claims and internal disciplinary justifications. The AUP acknowledgment is the legal foundation for enforcement. This is why AUP acknowledgment is typically required before any system access is granted โ the gap in this scenario existed from day one of the contractor's engagement.
Ch 106 ยท Security Standards
Question 13 of 20
A company's password storage standard mandates bcrypt with a minimum work factor of 12 and unique salts. During a breach review, the team discovers that the development environment used unsalted SHA-256 hashes instead. An attacker has obtained the development database containing 50,000 unsalted SHA-256 password hashes. What specific advantages does the attacker have against unsalted SHA-256 compared to bcrypt with salt?
โ
A โ Rainbow tables + GPU speed against unsalted SHA-256. Unsalted SHA-256 has two critical weaknesses: (1) identical passwords always produce identical hashes โ an attacker sees that 3,000 of the 50,000 accounts share a hash and immediately knows all 3,000 use the same password without cracking any; (2) SHA-256 is fast by design, enabling modern GPUs to compute 10โ50 billion hashes per second, making brute-force cracking of all 50,000 accounts feasible in minutes to hours. Rainbow tables (pre-computed hash-to-plaintext lookup tables) further accelerate recovery of common passwords. Bcrypt's salt ensures each account produces a unique hash even with the same password, invalidating rainbow tables and preventing bulk compromise. bcrypt's work factor makes each hash computation expensive (milliseconds), reducing GPU throughput from billions/second to thousands/second. Both properties are necessary; salt alone defeats rainbow tables but not brute force speed. SHA-256 is a one-way hash (not symmetric encryption) โ it cannot be reversed, but speed makes brute force feasible.
Ch 106 ยท Security Standards
Question 14 of 20
A company's encryption standard mandates AES-256 for full disk encryption on all laptops and TLS 1.3 for all web applications transmitting customer data. A compliance auditor asks the security team to explain which data state each control is designed to protect and why different encryption technologies are required for each state.
โ
B โ AES-256 (at rest) and TLS 1.3 (in transit). Data has three states: at rest (stored, not moving), in transit (actively moving across a network), and in use (being actively processed in memory). Full disk encryption (FDE) with AES-256 protects data at rest: if a laptop is physically stolen or lost, the attacker cannot read the disk contents without the decryption key. TLS 1.3 protects data in transit: when customer data is sent between a browser and a web server, TLS encrypts the session to prevent network interception (man-in-the-middle attacks, eavesdropping). Different technologies address different threat models: FDE addresses physical compromise of storage media; TLS addresses network interception. A third control type โ memory encryption or confidential computing โ would address data in use, but neither FDE nor TLS provides that protection.
Ch 106 ยท Security Standards
Question 15 of 20
A US-based technology company wants to sell cloud services to European enterprise customers. The sales team believes achieving a security framework certification will help win European contracts. They are choosing between pursuing ISO/IEC 27001 certification and aligning with the NIST Cybersecurity Framework. Which statement correctly describes the difference between these two options for this specific goal?
โ
C โ ISO 27001 is independently certified; NIST CSF is self-assessed. ISO/IEC 27001 is an international standard managed by the International Organization for Standardization. Achieving certification requires an accredited third-party auditor to verify that the organization's Information Security Management System (ISMS) meets the standard's requirements. European enterprise buyers can independently verify ISO 27001 certification through public certificate registries. NIST CSF is a risk management framework published by the US National Institute of Standards and Technology โ it is widely adopted but does not have a certification body. An organization can claim NIST CSF alignment without any external verification, which gives prospective customers less assurance. For building trust with European buyers who cannot audit each vendor's security program themselves, ISO 27001 certification's independent verification is significantly more credible. GDPR does not mandate any specific security framework.
Ch 106 ยท Security Standards
Question 16 of 20
A company's access control standard states that system access must be removed "promptly upon employment separation." In practice, HR submits deprovisioning requests to IT 3โ5 business days after the employee's last day. During this gap, a terminated employee โ disgruntled about their dismissal โ uses their still-active VPN credentials to access internal systems and download confidential client data. What should the access control standard specifically require to eliminate this gap?
โ
D โ Immediate access removal on last day of employment. The 3โ5 day notification gap is a systemic process failure. During this window, the separated employee's credentials remain active and usable โ for the employee themselves (as this incident demonstrates) or for an attacker who obtained their credentials near the separation date. The access control standard must specify the timeline precisely: access removal on the last day of employment, not "promptly afterward." The fix requires integrating HR separation workflows with IT provisioning systems so that HR's authorization of separation automatically triggers account disablement โ eliminating the manual notification step that introduces delay. Many organizations achieve this through HRIS-to-identity management integration. The standard should also address privileged access (admin accounts) which warrant same-day or even intra-day removal before the final walkout.
Ch 107 ยท Security Procedures
Question 17 of 20
A company deploys a SOAR platform integrated with its SIEM, EDR, ticketing system, and threat intelligence feeds. When the SIEM generates an alert matching a ransomware behavioral signature, the SOAR automatically isolates the affected endpoint via the EDR API, creates a Priority-1 incident ticket, sends an SMS page to the on-call analyst, and queries the threat intelligence platform for the malware family hash โ all within 45 seconds without any human action. What specific SOAR capability does this demonstrate, and what would have occurred if only a SIEM were deployed with no SOAR?
โ
A โ SOAR orchestration and automated playbook execution. SOAR (Security Orchestration, Automation, and Response) integrates multiple security tools via APIs and executes pre-defined response playbooks automatically when trigger conditions are met. The key value proposition: compressing mean time to respond (MTTR) from minutes to seconds by automating what analysts would otherwise do manually. In this scenario, SOAR simultaneously orchestrated four actions across four different platforms in 45 seconds โ a human analyst performing the same steps manually would typically take 15โ45 minutes per step. During a ransomware event, every minute of delay allows more files to be encrypted. A SIEM generates alerts and stores logs but does not execute response actions โ it is a detection and analysis tool. SOAR is the response orchestration layer. EDR handles endpoint-level detection and isolation but does not orchestrate cross-tool workflows autonomously.
Ch 107 ยท Security Procedures
Question 18 of 20
A database administrator submits an emergency change request to modify production database index configurations to address a severe performance degradation affecting business operations. The Change Control Board review identifies that no rollback procedure is documented. The DBA argues the urgency justifies waiving the backout plan requirement. What should the CCB decide, and why?
โ
B โ Backout plans are required even for emergency changes. The backout plan (rollback procedure) is not an optional component for non-urgent changes โ it is a required element of any change request. The CCB's role includes verifying that a backout plan exists and is executable before approving any change. The DBA's argument inverts the logic: emergency conditions make a backout plan more critical, not less. In a high-pressure situation where an emergency change also fails, improvising database recovery without a documented rollback procedure under business pressure is significantly more dangerous than in a planned maintenance window. A database backup is not a backout plan โ it is a data recovery mechanism; the backout plan specifies the exact steps to reverse the specific index configuration change. The CCB should require a documented backout plan before approval, which the DBA can write quickly since they should know the reverse procedure if they know how to make the change.
Ch 107 ยท Security Procedures
Question 19 of 20
A multinational corporation's CISO publishes global minimum security requirements: all subsidiaries must implement MFA for remote access, encrypt laptops with AES-256, and maintain a SIEM. Each regional subsidiary is responsible for selecting specific vendors, configuring their implementations, and adapting controls to meet local regulatory requirements, as long as the central minimums are satisfied. What governance model is this, and what is its primary advantage over purely centralized or purely decentralized alternatives?
โ
C โ Federated (hybrid) governance. Federated governance is characterized by a division of authority: the central function (CISO) establishes enterprise-wide minimum standards that all subsidiaries must meet, while subsidiaries retain local implementation authority within those standards. The advantages over alternatives: purely centralized governance is inflexible and cannot adapt to local regulatory differences (a European subsidiary may have GDPR obligations that a US subsidiary does not), local operational contexts, or local vendor availability โ decisions made centrally for 15 subsidiaries in 12 countries may not fit any of them well. Purely decentralized governance creates an inconsistent security posture where the weakest subsidiary becomes the enterprise's weakest link and enterprise-wide visibility is impossible. Federated governance provides a consistent minimum bar (enterprise risk management) while enabling local adaptation (regulatory compliance and operational fit).
Ch 107 ยท Security Procedures
Question 20 of 20
A senior systems engineer is terminated. The engineer administered encrypted network shares using EFS, held active code-signing certificates used on several production applications, and owned numerous digital signatures on approved change control documents. HR requests immediate account deletion to comply with the company's policy of removing terminated employee data. The security team proposes disabling the account immediately but delaying deletion for 90 days. What is the security team's correct reasoning?
โ
D โ Disable immediately; delete after verifying no unresolved cryptographic dependencies. Disabling an account (setting it to inactive) immediately achieves the primary security goal: the terminated employee can no longer authenticate. However, deleting the account immediately destroys all cryptographic associations: EFS encryption keys are tied to the account's certificate โ delete the account and the encrypted files may become permanently unreadable. Code-signing certificates tied to the account identity may invalidate signatures on production binaries, causing security tools to reject them. Digital signatures on approved change control documents may become unverifiable. The 90-day window allows the IT team to: identify all EFS-encrypted data and re-encrypt under active accounts; transfer or re-issue code-signing certificates; document and preserve the chain of digital signatures for compliance records. Disabling is the correct immediate security action; deletion requires careful dependency verification first.
Part B โ Scenario Questions (unscored โ self-assess)
Ch 102โ104 ยท Scenario
Scenario Question A
A healthcare organization's security team is responding to a suspected insider threat. A monthly access report flagged that a nurse's account accessed 4,200 patient records in a single day โ 80ร the account's normal daily average. The nurse denies any unusual activity and claims she was on annual leave that day. The security team begins a formal investigation.
Day 1: The team discovers the nurse's workstation was left logged in and unattended in an unlocked break room. A colleague reports seeing an unfamiliar person at the workstation during the nurse's absence.
Day 2: The SIEM analyst runs a query for the past 90 days of access logs for the nurse's account and finds three prior anomalous access events that were acknowledged and auto-closed by a previous analyst.
Day 3: The legal team determines the incident may involve HIPAA violations and potential criminal identity theft charges.
Address: (1) What type of security activity generated the initial alert, what data source produced it, and why is this anomaly detection approach effective for insider threats? (2) What forensic challenge arises from the fact that the access occurred from a logged-in unattended workstation, and what evidence should the team prioritize collecting and from which sources? (3) What obligation does the legal team's Day 3 determination create regarding data preservation, who must initiate it, and what happens to all automated log deletion processes during the investigation?
Day 1: The team discovers the nurse's workstation was left logged in and unattended in an unlocked break room. A colleague reports seeing an unfamiliar person at the workstation during the nurse's absence.
Day 2: The SIEM analyst runs a query for the past 90 days of access logs for the nurse's account and finds three prior anomalous access events that were acknowledged and auto-closed by a previous analyst.
Day 3: The legal team determines the incident may involve HIPAA violations and potential criminal identity theft charges.
Address: (1) What type of security activity generated the initial alert, what data source produced it, and why is this anomaly detection approach effective for insider threats? (2) What forensic challenge arises from the fact that the access occurred from a logged-in unattended workstation, and what evidence should the team prioritize collecting and from which sources? (3) What obligation does the legal team's Day 3 determination create regarding data preservation, who must initiate it, and what happens to all automated log deletion processes during the investigation?
1. Alert type, data source, and insider threat effectiveness:
Activity type: User Behavior Analytics (UBA) anomaly detection โ specifically, a data access volume anomaly. UBA establishes a behavioral baseline per account (normal daily record access = ~50 records) and generates an alert when current behavior significantly deviates from baseline (4,200 records = 80ร baseline).
Data source: The access report is derived from application-level audit logs (the EHR/clinical system's access log) fed into or correlated with the SIEM. The monthly report is a scheduled SIEM report, not a real-time dashboard โ it provides periodic behavioral visibility across all accounts.
Why effective for insider threats: Insider threats are difficult to detect because insiders use legitimate credentials and have authorized access. Signature-based detection (malware hashes, known-bad IPs) misses insider threats entirely because no attack tool is used. UBA detects what insiders actually do โ behavioral anomalies: wrong time, wrong volume, wrong resources โ that deviate from the established baseline of the individual's normal work pattern. The nurse's account had authorized access to all patient records; the volume anomaly was the only detectable signal.
2. Forensic challenge and evidence priorities:
Challenge: The workstation was shared (logged in, unattended) โ authentication cannot establish who was physically at the keyboard. The nurse's credentials authenticated the session, but anyone with physical access to the unattended workstation could have performed the access. The investigation must establish physical presence at the workstation during the access window through non-credential evidence.
Evidence to prioritize, by source:
โข Physical security camera footage (most critical): cameras in or near the break room may show who was physically at the workstation during the access window. This can confirm or refute the colleague's report of an unfamiliar person.
โข Badge/physical access logs: who badged into the break room, corridor, or floor during the access window. Can establish who had physical access during that time.
โข Workstation session logs: exact timestamps of individual record accesses, navigation patterns, typing velocity โ behavioral patterns that may indicate a different user than the account owner.
โข Network access logs: source IP and workstation identifier to confirm the access originated from the specific physical workstation (not remote access from another location).
โข SIEM historical logs: the three prior auto-closed anomalous events should be reopened and re-analyzed โ they may represent earlier reconnaissance or testing by the same unauthorized accessor.
3. Legal hold obligation:
Obligation created: A legal hold (litigation hold) must be issued immediately. HIPAA violation investigations and criminal proceedings involving medical records create both civil and criminal legal exposure. Once litigation is anticipated, all relevant ESI must be preserved.
Who initiates it: Legal counsel โ not IT, not security, not the CISO. The determination that proceedings are anticipated is a legal judgment, and only legal counsel has the authority and responsibility to issue a legal hold. IT and security implement the preservation; legal initiates and lifts it.
Effect on automated deletion: All automated log deletion, rotation, and archival processes for relevant data must be immediately suspended. This includes: SIEM log rotation for all logs related to the nurse's account and the affected systems; EHR audit log deletion; physical security camera footage overwrite schedules; badge access log purge jobs. Failure to suspend these processes after a legal hold is issued constitutes spoliation of evidence, exposing the organization to court-imposed sanctions including adverse inference instructions, default judgment, or case dismissal.
Activity type: User Behavior Analytics (UBA) anomaly detection โ specifically, a data access volume anomaly. UBA establishes a behavioral baseline per account (normal daily record access = ~50 records) and generates an alert when current behavior significantly deviates from baseline (4,200 records = 80ร baseline).
Data source: The access report is derived from application-level audit logs (the EHR/clinical system's access log) fed into or correlated with the SIEM. The monthly report is a scheduled SIEM report, not a real-time dashboard โ it provides periodic behavioral visibility across all accounts.
Why effective for insider threats: Insider threats are difficult to detect because insiders use legitimate credentials and have authorized access. Signature-based detection (malware hashes, known-bad IPs) misses insider threats entirely because no attack tool is used. UBA detects what insiders actually do โ behavioral anomalies: wrong time, wrong volume, wrong resources โ that deviate from the established baseline of the individual's normal work pattern. The nurse's account had authorized access to all patient records; the volume anomaly was the only detectable signal.
2. Forensic challenge and evidence priorities:
Challenge: The workstation was shared (logged in, unattended) โ authentication cannot establish who was physically at the keyboard. The nurse's credentials authenticated the session, but anyone with physical access to the unattended workstation could have performed the access. The investigation must establish physical presence at the workstation during the access window through non-credential evidence.
Evidence to prioritize, by source:
โข Physical security camera footage (most critical): cameras in or near the break room may show who was physically at the workstation during the access window. This can confirm or refute the colleague's report of an unfamiliar person.
โข Badge/physical access logs: who badged into the break room, corridor, or floor during the access window. Can establish who had physical access during that time.
โข Workstation session logs: exact timestamps of individual record accesses, navigation patterns, typing velocity โ behavioral patterns that may indicate a different user than the account owner.
โข Network access logs: source IP and workstation identifier to confirm the access originated from the specific physical workstation (not remote access from another location).
โข SIEM historical logs: the three prior auto-closed anomalous events should be reopened and re-analyzed โ they may represent earlier reconnaissance or testing by the same unauthorized accessor.
3. Legal hold obligation:
Obligation created: A legal hold (litigation hold) must be issued immediately. HIPAA violation investigations and criminal proceedings involving medical records create both civil and criminal legal exposure. Once litigation is anticipated, all relevant ESI must be preserved.
Who initiates it: Legal counsel โ not IT, not security, not the CISO. The determination that proceedings are anticipated is a legal judgment, and only legal counsel has the authority and responsibility to issue a legal hold. IT and security implement the preservation; legal initiates and lifts it.
Effect on automated deletion: All automated log deletion, rotation, and archival processes for relevant data must be immediately suspended. This includes: SIEM log rotation for all logs related to the nurse's account and the affected systems; EHR audit log deletion; physical security camera footage overwrite schedules; badge access log purge jobs. Failure to suspend these processes after a legal hold is issued constitutes spoliation of evidence, exposing the organization to court-imposed sanctions including adverse inference instructions, default judgment, or case dismissal.
Ch 105โ107 ยท Scenario
Scenario Question B
A regional bank undergoes an external security governance audit. The audit produces four findings:
Finding 1: The disaster recovery plan directs failover to a secondary site with pre-installed hardware and 4-hour-old backup replication. During a live DR test, systems took 6.5 hours to reach operational state โ exceeding the bank's regulatory RTO of 4 hours.
Finding 2: Three network engineers made undocumented configuration changes to production routers over the past quarter without CCB approval. One change opened inbound port 23 (Telnet) on an edge router that remained undetected for 47 days until the audit.
Finding 3: New hires in the IT department receive domain admin rights by default "to avoid repeated helpdesk tickets for access requests." Access reviews occur annually.
Finding 4: The SOAR platform has three playbooks (ransomware response, phishing response, account compromise) that have not been tested in 18 months. The security team assumes the playbooks still work correctly.
Address: (1) For Finding 1, what type of recovery site does the secondary location represent, and what specific changes to the DR configuration and testing process are required to meet the 4-hour RTO? (2) For Finding 2, what change management control failures occurred, and what specific CCB process requirements would have detected the Telnet port change within hours rather than 47 days? (3) For Findings 3 and 4, identify the security principle or procedure violated in each case and describe the specific corrective action required.
Finding 1: The disaster recovery plan directs failover to a secondary site with pre-installed hardware and 4-hour-old backup replication. During a live DR test, systems took 6.5 hours to reach operational state โ exceeding the bank's regulatory RTO of 4 hours.
Finding 2: Three network engineers made undocumented configuration changes to production routers over the past quarter without CCB approval. One change opened inbound port 23 (Telnet) on an edge router that remained undetected for 47 days until the audit.
Finding 3: New hires in the IT department receive domain admin rights by default "to avoid repeated helpdesk tickets for access requests." Access reviews occur annually.
Finding 4: The SOAR platform has three playbooks (ransomware response, phishing response, account compromise) that have not been tested in 18 months. The security team assumes the playbooks still work correctly.
Address: (1) For Finding 1, what type of recovery site does the secondary location represent, and what specific changes to the DR configuration and testing process are required to meet the 4-hour RTO? (2) For Finding 2, what change management control failures occurred, and what specific CCB process requirements would have detected the Telnet port change within hours rather than 47 days? (3) For Findings 3 and 4, identify the security principle or procedure violated in each case and describe the specific corrective action required.
1. Finding 1 โ DR site type and RTO remediation:
Site type: The secondary site is a warm site โ pre-installed hardware with periodic (not real-time) data replication. Warm sites typically achieve operational state in 2โ8 hours, depending on backup restoration time and configuration complexity.
Why the RTO is being missed: The 6.5-hour actual recovery time exceeds both the warm site's expected performance and the 4-hour regulatory requirement. Possible causes: backup restoration takes longer than planned, system configuration steps are not scripted and require manual judgment, staff unfamiliarity with the DR environment, or undocumented dependencies on the primary site infrastructure.
Remediation options:
โข Upgrade to a hot site with real-time or near-real-time synchronous replication, enabling failover in minutes โ this satisfies a 4-hour RTO with margin, but is more expensive.
โข Optimize the warm site recovery process: script all restoration steps (no manual configuration), automate database restoration, conduct quarterly DR tests with time tracking to identify bottlenecks, and ensure the secondary site is configured identically to the primary.
โข Critical process fix: The DR test revealed the failure โ but this was a live test. The bank should conduct tabletop walkthroughs quarterly and live DR tests at least annually. The 6.5-hour actual time proves the plan's assumptions (that restoration takes 4 hours) were never validated. Every minute above the RTO is a regulatory violation during a real event.
2. Finding 2 โ Change management failures:
Control failures:
โข No CCB submission: Changes were made without being submitted to the CCB for review and approval โ bypassing the entire governance process.
โข No documentation: Changes were undocumented, creating no record of what changed, when, who authorized it, or why โ making the change invisible to the security and operations teams.
โข No risk analysis: The Telnet configuration (opening an unencrypted, unauthenticated protocol on an edge router) would have been flagged immediately in a risk review โ but no review occurred.
โข No post-change verification: No one confirmed the port 23 change was intentional or acceptable; it persisted for 47 days.
CCB process requirements that would have caught this:
โข Configuration management / change detection: A network configuration management tool (e.g., RANCID, Cisco DNA Center) compares running configurations against baseline snapshots and alerts on any unauthorized change โ the Telnet port change would have been detected within hours, not 47 days.
โข CCB mandatory submission: All production infrastructure changes must be submitted and approved before implementation; emergency changes require CCB notification within 24 hours with post-implementation review.
โข Firewall policy review integration: The CCB process should include a security review step that specifically checks for protocol and port changes on edge devices โ a governance control that the CCB would have applied if the change had been submitted.
3. Findings 3 and 4 โ Principles violated and corrective actions:
Finding 3 โ Least privilege violation:
The security principle violated is least privilege: accounts must be provisioned with only the access required for the user's specific current job function. Domain admin rights are the highest-privilege account type in a Windows environment; granting them by default to all IT staff because "it avoids helpdesk tickets" is convenience over security. A compromised domain admin account gives an attacker complete control over the entire Active Directory environment.
Corrective action: Revoke domain admin rights from all IT accounts that cannot demonstrate an active business need for them. Implement a just-in-time (JIT) privileged access workflow where domain admin access is temporarily granted via a PAM (Privileged Access Management) system upon request with approval, auto-expires, and is fully logged. Change access reviews from annual to quarterly. Establish role-based access provisioning where new IT hires receive a defined access set based on their specific role, not a blanket default.
Finding 4 โ Untested automated procedures (SOAR playbooks):
The principle violated is regular testing of operational procedures โ the same principle that applies to BCPs and DR plans applies to SOAR playbooks. APIs change, integrations break, tool configurations evolve. A SOAR playbook that worked 18 months ago may fail silently today because an API endpoint changed, an authentication token expired, or a tool was updated with a different schema.
Corrective action: Test each SOAR playbook in a non-production environment against simulated trigger conditions at least quarterly. Each playbook test should verify: all API integrations respond correctly, each automated action completes successfully, notifications reach the correct recipients, and escalation logic triggers at the correct thresholds. Failed playbook steps during a real incident will extend response time and may leave critical response actions (endpoint isolation, ticket creation) unexecuted. Playbook testing should be documented and treated as a formal procedure with pass/fail criteria โ not an informal check.
Site type: The secondary site is a warm site โ pre-installed hardware with periodic (not real-time) data replication. Warm sites typically achieve operational state in 2โ8 hours, depending on backup restoration time and configuration complexity.
Why the RTO is being missed: The 6.5-hour actual recovery time exceeds both the warm site's expected performance and the 4-hour regulatory requirement. Possible causes: backup restoration takes longer than planned, system configuration steps are not scripted and require manual judgment, staff unfamiliarity with the DR environment, or undocumented dependencies on the primary site infrastructure.
Remediation options:
โข Upgrade to a hot site with real-time or near-real-time synchronous replication, enabling failover in minutes โ this satisfies a 4-hour RTO with margin, but is more expensive.
โข Optimize the warm site recovery process: script all restoration steps (no manual configuration), automate database restoration, conduct quarterly DR tests with time tracking to identify bottlenecks, and ensure the secondary site is configured identically to the primary.
โข Critical process fix: The DR test revealed the failure โ but this was a live test. The bank should conduct tabletop walkthroughs quarterly and live DR tests at least annually. The 6.5-hour actual time proves the plan's assumptions (that restoration takes 4 hours) were never validated. Every minute above the RTO is a regulatory violation during a real event.
2. Finding 2 โ Change management failures:
Control failures:
โข No CCB submission: Changes were made without being submitted to the CCB for review and approval โ bypassing the entire governance process.
โข No documentation: Changes were undocumented, creating no record of what changed, when, who authorized it, or why โ making the change invisible to the security and operations teams.
โข No risk analysis: The Telnet configuration (opening an unencrypted, unauthenticated protocol on an edge router) would have been flagged immediately in a risk review โ but no review occurred.
โข No post-change verification: No one confirmed the port 23 change was intentional or acceptable; it persisted for 47 days.
CCB process requirements that would have caught this:
โข Configuration management / change detection: A network configuration management tool (e.g., RANCID, Cisco DNA Center) compares running configurations against baseline snapshots and alerts on any unauthorized change โ the Telnet port change would have been detected within hours, not 47 days.
โข CCB mandatory submission: All production infrastructure changes must be submitted and approved before implementation; emergency changes require CCB notification within 24 hours with post-implementation review.
โข Firewall policy review integration: The CCB process should include a security review step that specifically checks for protocol and port changes on edge devices โ a governance control that the CCB would have applied if the change had been submitted.
3. Findings 3 and 4 โ Principles violated and corrective actions:
Finding 3 โ Least privilege violation:
The security principle violated is least privilege: accounts must be provisioned with only the access required for the user's specific current job function. Domain admin rights are the highest-privilege account type in a Windows environment; granting them by default to all IT staff because "it avoids helpdesk tickets" is convenience over security. A compromised domain admin account gives an attacker complete control over the entire Active Directory environment.
Corrective action: Revoke domain admin rights from all IT accounts that cannot demonstrate an active business need for them. Implement a just-in-time (JIT) privileged access workflow where domain admin access is temporarily granted via a PAM (Privileged Access Management) system upon request with approval, auto-expires, and is fully logged. Change access reviews from annual to quarterly. Establish role-based access provisioning where new IT hires receive a defined access set based on their specific role, not a blanket default.
Finding 4 โ Untested automated procedures (SOAR playbooks):
The principle violated is regular testing of operational procedures โ the same principle that applies to BCPs and DR plans applies to SOAR playbooks. APIs change, integrations break, tool configurations evolve. A SOAR playbook that worked 18 months ago may fail silently today because an API endpoint changed, an authentication token expired, or a tool was updated with a different schema.
Corrective action: Test each SOAR playbook in a non-production environment against simulated trigger conditions at least quarterly. Each playbook test should verify: all API integrations respond correctly, each automated action completes successfully, notifications reach the correct recipients, and escalation logic triggers at the correct thresholds. Failed playbook steps during a real incident will extend response time and may leave critical response actions (endpoint isolation, ticket creation) unexecuted. Playbook testing should be documented and treated as a formal procedure with pass/fail criteria โ not an informal check.