CISM AIO 2nd - "Acquiring Additional Hardware" section gives a good chart (7-7 Table) on pro's and con's as to why this answer is correct given the options
Expanding on MSKid, the correct answer is B cause trying to acquire additional hardware during an incident is nearly impossible as contracts, procurement, legal, etc.. will need to get involved. But with non-standard logs all you need to do is run it through a parser to normalize the logs and you should be fine. This is why (A) is not the answer. While encryption can be decrypted (C) and compression can be decompressed (D).
I mostly agree with your explanation for the wrong answers.
B is the correct answer, but not because of the difficulty of acquiring additional hardware, because the question is specifically talking about investigation, not recovery. Unless it is a private cloud environment (and sometimes even if it is), taking bit-for-bit copy of hard-disk for instance may not be allowed because the resources are shared.
B. Access to the hardware
In a cloud technology environment, one of the greatest challenges to the investigation of security incidents is access to the hardware. Cloud environments typically abstract the hardware layer from users, which means that customers do not have direct access to the physical servers, network equipment, or storage devices where their data is processed and stored. This limitation can significantly impede forensic investigations, as investigators may require physical access to gather evidence, analyze hardware configurations, or perform other forensic tasks that are simply not possible in a cloud setting where the infrastructure is managed by a service provider.
Standard or non standard Log is likely not an issue at all. All type of logs are never be the same but they are understandable. Otherwise, Linux /Var/log and Windows Event logs must be problematic. Access to the hardware is the challenge. I am in Country B, but the AWS cloud front I am using is at Country Z. Some how, we will never know where our applications are hosted (serverless).
B. Access to the hardware
In a cloud technology environment, access to the hardware poses the greatest challenge to the investigation of security incidents. In traditional on-premises environments, organizations have direct physical access to their hardware, making it relatively easier to conduct investigations and gather evidence in case of security incidents.
Just simple down the question... What is the greatest difficulty when dealing with cloud providers? This answer is always getting access to the physical hardware. Answer is B
C. Data encryption
Data encryption is a significant challenge when investigating security incidents in a cloud environment because it can make it extremely difficult to access and analyze the data that is encrypted. If data is properly encrypted, even if an attacker gains access to it, they will not be able to decipher it without the encryption keys. This can hinder the investigation process, as investigators may not be able to determine the nature and extent of a security incident or breach. In contrast, the other options (A, B, and D) can also pose challenges but are typically more manageable compared to the encryption of data.
Getting your cloud provider to give you access to their servers or other hardware is next to impossible while non-standard logs are a challenge, you can solve that. B is the greatest challenge.
B. Access to the hardware
In a cloud technology environment, access to the hardware poses the greatest challenge to the investigation of security incidents. In traditional on-premises environments, organizations have direct physical access to their hardware, making it relatively easier to conduct investigations and gather evidence in case of security incidents.
The question said in a "CLOUD" environment. So access to underlying hardware "D" is incorrect and is typically managed and controlled by the cloud service provider, and customers do not have direct physical access to the hardware.
A is correct.
B is just crazy. Why would you need access to the hardware to investigate an incident? You think AWS is going to let their customers access their hardware? lolol. No customer gets access to the hardware. That's a moot option. It's not a challenge because it's not needed. Logs however are needed, and non-standard logs would make the investigation process more complex.
While access to hardware is a significant challenge, the lack of standardized and consistent event logs (Option A) is generally considered a more pervasive and widespread challenge in cloud environments, as it affects multiple aspects of incident investigation and analysis. So Option would be A
: In a cloud technology environment, non-standard event logs would pose the greatest challenge to the investigation of security incidents. Standardized event logs would provide a consistent source of information for security investigations and compliance audits. Non-standard event logs could be difficult to decipher or be incomplete, leading to gaps in security incident investigation.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
MSKid
Highly Voted 2 years agodark_3k03r
1 year, 6 months agoCISSPST
1 year, 1 month agoalifjouj
Most Recent 2 months, 3 weeks agohelg420
6 months, 2 weeks agoThavee
7 months, 3 weeks agoafoo1314
8 months, 1 week agooluchecpoint
9 months, 2 weeks agoPOWNED
1 year agoJJ1204
1 year, 1 month agoPerseus_68
1 year, 1 month agosphenixfire
1 year, 2 months agooluchecpoint
1 year, 2 months agoZenvega
1 year, 3 months agosham222
1 year, 3 months agowello
1 year, 5 months agoSaisharan
1 year, 5 months agorichck102
1 year, 5 months agomad68
1 year, 6 months ago[Removed]
1 year, 4 months ago