CERTIFIED-IN-CYBERSECURITY Question #227: Real Exam Question with Answer & Explanation

Question

During a security incident response, where will an incident responder member find the most recent modification to a system's security settings? ()

Options

• ASecurity log
• BServer log
• CChange log
• DApplication log

Explanation

The change log records all changes made to a system, including security settings (see the ISC2 Study Guide, Module 3, under Change Logs). For example, after reviewing the change log, the IR team discovers that two-factor authentication (2FA) was recently disabled, which could have facilitated unauthorized access. The team can then further investigate why this change was made and whether it led to the security incident. Here is an excerpt from a change log showing that the system administrator made a change on June 12 due to reported problems with 2FA: Date: 2023- 06-10, Time: 09:30 AM, User: Admin123, Change: Updated firewall settings, Reason: To block incoming traffic from a range of IPs. Date: 2023-06-11, Time: 02:15 PM, User: SysAdmin, Change: Modified User Access Control, Reason: Grant additional privileges to UserXYZ. Date: 2023-06-12, Time: 08:00 AM, User: SysAdmin, Change: Disabled two-factor authentication, Reason: Reported problems with 2FA. While the other options can provide useful information for incident response, they would not be the primary source for finding the approval process for a recent change to a system's security settings. In fact, the Server log records events and errors that occur on a server. The Security log records security-related events such as logon attempts, resource access, and policy changes. The Application log records events related to a specific application.

No community discussion yet for this question.