Chap 8 - Security operations

Question 1

what are the common classification of an event

Answer 1

• precursor = signal that something will take place
• indicator = signal that something is taking place

Question 2

what are the main issues log management addresses

Answer 2

• compliance and standards
• policies throughout the system and info lifecycle
• infrastructure
• generation, collection and normalization
• protection from creation to disposal (archiv/defens destruct
• review, analytics and reporting

Question 3

what is an IDS

Answer 3

solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access

Question 4

what is an IPS

Answer 4

solution that monitors environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access

Question 5

IDS/IPS deployment

Answer 5

can be deployed as perimeter placement (DMZ) or host-based or network-based and be located at various physical and logical locations in the IT environment

Question 6

how can IDS/IPS detect malicious activities

Answer 6

• deviation
• signatures
• pattern matching
• heuristic (machine learning algorithm)

Question 7

what are the main tradeoff associated with IDS/IPS

Answer 7

• maintenance
• overhead
• false positive
• agility

Question 8

what are types of SIEM deployments

Answer 8

• self-hosted, self-managed
• cloud SIEM, self-managed
• hybrid self hosted
• SIEM as a Service

Question 9

what are the main functions of a SIEM

Answer 9

• aggregation = gather info across environment
• normalization = present data in meaningful ways
• correlation = probability that stream of log is of an attack
• secure storage = follow rule of evidence
• analysis = automatic analysis
• reporting
• real-time monitoring = threat detection across network

Question 10

ingress monitoring

Answer 10

inbound communication traffic

tools:
- firewall
- gateway
- remote authentication servers
- IDS/IPS

Question 11

Egress monitoring

Answer 11

outbound communication traffic

tools:
- DLP (through signature, pattern, labeling)

DLP can cover data at rest, in motion and in use

Question 12

what are the main effort as part of data protection

Answer 12

• data discovery / classification / categorization
• monitoring
• enforcement (training, attribution, prevention)

Question 13

what do we use regression testing for?

Answer 13

confirms that the systems’ behavior has been altered only in ways that the approved change should have caused and that no other anomalous behavior as resulted from changes

Question 14

what is the Information Technology Infrastructure Library (ITIL)

Answer 14

widely adopted information technology change practices

Question 15

what are the ITIL process level based on urgency

Answer 15

• standard changes
• emergency changes
• normal changes

Question 16

what are the 2 important processes that come together via well-implemented change mgmt practices

Answer 16

• baselining
• provisioning

Question 17

change initiation steps include

Answer 17

• identifying of change requirements
• risk assessment
• change prioritization
• documentation of the RFC

Question 18

Change review & approval steps include

Answer 18

• evaluating the RFCs for completeness
• assignment to the proper change authorization process
• stakeholder review
• appropriate approvals or rejections
• documentation of approval or rejection

Question 19

implementation and evaluation steps include

Answer 19

• scheduling the change
• testing the change
• verifying the rollback procedures
• implementing the change
• evaluating the change for proper operation
• documenting the change in the production

Question 20

what are the practice of patching system challenges

Answer 20

• interoperability
• poorly craft patches
• required downtime
• virtualization-specific concerns
• timing

Question 21

what are the best practices in patching system

Answer 21

• notice of patch
• determine applicability/evaluation
• determine potential impacts
• testing the patch

after approval ->
- perform a full backup prior to application
- apply the patch
- confirm installation of the patch for all target systems

verify operationality post-patch->
- solicit/receive user feedback
- document
or
- rollback if required

Question 22

what are the main 4 change management activities

Answer 22

1. change management
2. vulnerability management
3. patch management
4. configuration management

Question 23

when does an event becomes an incident?

Answer 23

when there is a possibility of harm

Question 24

what are common business practices to handle incident

Answer 24

• incident detection
• assessment
• escalation
• communication
• recovery
• learning

Question 25

what is the NIST computer security incident handling lifecycle

Answer 25

1. preparation
2. detection and analysis
3. containment, eradication and recovery
4. post-incident activity

Question 26

what are the 4 phases of cyber forensics

Answer 26

• collection (of medias -> data)
• examination (of the data -> to find information)
• analysis (of the information -> to find evidence/artifacts)
• reporting (of the evidence/artifacts)

Question 27

what are incident response team communication to key stakeholders

Answer 27

• customers (media)
• other response teams
• internet service providers
• incident reporters
• law enforcement agencies
• software and support vendors

Question 28

what is the primary role of Security Operation Center (SOC)

Answer 28

ENABLE the organization’s senior leadership and management to make INFORMED DECISIONS about emergency or urgent actions to take to PROTECT THE ORGANIZATION from loss or impact

Question 29

what are some types of event that might be a step of attack kill chain

Answer 29

• input buffer overflows
• endpoint/ removable media infections
• filenames containing unusual/ unprintable characters
• access control system notice
• unplanned restart
• unmanaged host or endpoint try to join network
• notice of unplanned configuration changes
• multiple login failed attempts
• email system alert of increase in bounced/refuse/junk mail
• unusual deviation in network traffic flows

Question 30

what are the main approach to root cause analysis

Answer 30

• Pareto analysis = 80% value -> 20% effort
• 5 whys
• Fishbone diagram = visualization tool focusing on causes
• failure mode effects analysis = systematic identify failure
• Fault tree = applies to boolean logic

Question 31

what are the main type on attack containment tactics

Answer 31

• logical or physical disconnection
• disconnect key server
• disconnect your internal network
• disabling wifi
• disabling outgoing and incoming connection to unknown
• disabling outgoing and incoming connection to all external
• disconnect from any extranets or VPNs
• disconnect all external access to system
• disable internal users, process or application

Question 32

what is eradication process

Answer 32

process of identifying and then removing every instance of the causal agent and its associated files, executables and so forth from all elements of your system

Question 33

what is recovery process

Answer 33

process by which the organization’s IT infrastructure, applications, data and workflows are reestablished and declared operational

Question 34

what is the remediation process

Answer 34

activities to immediately limit or reduce the chance of reoccurrence of this type of attack

Question 35

what is a SOAR

Answer 35

• security orchestration
• security automation
• security response

Question 36

what is an allowed listing

Answer 36

permits only previously approved items to be executed and blocks execution of all others

Question 37

what is block listing

Answer 37

explicitly prohibits application on the block list

Question 38

what is a honeypot or honeynets

Answer 38

are machines that exist on the network but do not contain sensitive or valuable data (number of machines connected form a honey net)

they are not to be considered a mean to lure or attract the attention of malicious actors

Question 39

is hackback legal

Answer 39

in almost all jurisdictions hackback is illegal, often with several penalties (US and UK it is a felony)

Question 40

main steps that can be improved in organization to respond to ransomware

Answer 40

• back up data regularly
• separate backups from computer and the network backing
• physically isolate sensitive processes
• implement cross-domain solutions
• patch mgmt and legal software
• awareness training
• anti-malware tools
• IDS/IPS
• incident response readiness
• network segmentation for quarantine
• table top exercise
• define decision making process
• others including EDR / XDR / etc.

Question 41

what is software defined security (SDS)

Answer 41

next generation of SOAR -> holistic approach

evolution from start
1. IAM
2. device label sec
3. Network IDS/IPS
4. SIEM
5. SOAR
6. SDS

Question 42

types of security services provided by 3rd party

Answer 42

• threat hunting
• network monitoring
• physical security
• network mgmt
• audit

Question 43

what are the main due diligence steps when contracting 3rd party

Answer 43

• review governance
• SLAs
• NDAs
• insurance/bonding
• audit/testing
• strong contract language
• regulator approval

Question 44

what is the minimum protection in backup storage strategy

Answer 44

• 3 copies of the data (original + 2x backups)
• 2x different storage media type (magnetic/removable/cloud)
• one copy offsite

Question 45

what are type of locations for backups

Answer 45

• onsite
• offsite
• Cloud backup as a service

Question 46

what are types of backup

Answer 46

1. Full backup
2. differential backup: all change since last full backup
3. incremental backup: new/change files since last full backup
4. journaling: granular recovery of DB, rec. all transaction log
5. Snapshot: virtualized storage that mirror data blocks
6. Continuous data protection (CPD): form of snapshotting every time data block change

Question 47

2 key consideration when backing up

Answer 47

Versioning: ability to conserve several versions of backups to eliminate the risk of losing all recovery capability (if one affected…)

Validation: each backup should be validated to ensure the copy is thorough and accurate

Question 48

what are common recovery site strategies

Answer 48

• Mirrored: identical to original -> High availability & reliable
• Hot: similar to mirror but no latest data -> few hours deploy
• warm: no current version, no full equip. -> few days deploy
• cold: empty facility -> no HW/software ->few weeks/month
• mobile: portable facility -> HW only -> few days deploy
• Cloud: backup in CSP -> check SLAs for guarranty
• Joint operating agreement (JOA): usually gov. shared location
• multiple processing site: each site 50% capacity (active-active

Question 49

what is the difference between active-active & active-passive

Answer 49

active-active: all sites operate normally, but at low capacity (e.g., 50%) if needed ability to transfer 100% on single site

active-passive: at least 1x site of cluster is not working on normal operations -> only brought online if disruption of the “Active system”

Question 50

what are the key system resilience considreations

Answer 50

• sufficient spare components
• clustering of sites (e.g., active-active)
• power
• Uninterruptible power supplies (UPS)
• generators

Question 51

what are the different types of Redundant Array of Independent Disk (RAID)

Answer 51

• RAID 0: no actual redundancy -> data striped
• RAID 1: mirroring
• RAID 2: legacy approach (not used)
• RAID 3 & 4: data striped across multi-drives & 1x drive parity
• RAID 5: Data & parity striped across multi-drives
• RAID 6: data strip & 2x set parity across mutli-drives
• RAID 0+1: data striped & mirror -> used by Cloud -> see SLA
• RAID 1+0 (10): data striped and duplicated simultaneously
• ## RAID 15 & 51: use of 1 and 5 -> high cost an impact on prod.

Question 52

why apply physical security

Answer 52

protect from
- damage
- loss
- theft

Question 53

what is Crime prevention through environmental design (CPTED)

Answer 53

• landscape to enforce sec. (no straight road, fence, river)
• areas isolation
• lightning system for movement detection
• guards
• doors/ windows with solid core
• locks
• etc.

Question 54

what are type of protection to wired closets (server)

Answer 54

• secured room
• access to room monitored
• tamper protection
• environmental protection
• protection from lightning
• backup power
• HVAC system
• fire detection
• emergency shutoff

Question 55

Heating, Ventilation and Air Conditioning (HVAC) security & safety protections

Answer 55

• redundancy
• detection of failure (sensors)
• HVAC control
• adequate cooling & airflow

Question 56

what are the main environmental issues to consider

Answer 56

• hurricane
• tornado
• forest/wildfire
• earthquake
• tsunami
• flooding
• mudslides

Question 57

what is the fire triangle

Answer 57

• fuel
• O2
• heat

Question 58

what are the fires classes

Answer 58

EU -> US -> description -> counter

A -> A -> ordinary combustible -> water
B -> B -> flammable liquids -> Foam
E -> C -> Electrical -> CO2
D -> D -> flammable metals -> dry powder
F -> K -> commercial cooking equ -> chemicals

Question 59

what are common types of water-based suppression systems

Answer 59

• wet-pipe
• dry pipe
• pre-action
• deluge
• aqueous firefighting foam (AFFF)

Question 60

what are common Gas-based suppression system

Answer 60

• hydrofluorocarbon
• halon
• FM-200
• carbon dioxide (CO2)
• Argonite
• inergen

Question 61

what are personal/security concerns when traveling

Answer 61

• secure remote access
• jurisdictional concerns
• personnel protection
• condition monitoring

Question 62

what is duress

Answer 62

personnel should have a means to report to the organization if they are ever put under duress (threaten)

Question 63

Darcy is designing a fault tolerant system and wants to implement RAID-5 for her system. What is the minimum number of physical hard disks she can use to build this system?

Answer 63

Three

RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.

Question 64

Which one of the following is an example of physical infrastructure hardening?
A. Antivirus software
B. Hardware-based network firewall
C. Two-factor authentication
D. Fire suppression system

Answer 64

D. Fire suppression system

Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.

Question 65

You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?

Answer 65

RAID

Redundant Array of Inexpensive Disks (RAID) uses additional hard drives to protect the server against the failure of a single device.

Question 66

What does labelling data allow a DLP system to do?

Answer 66

The DLP system can detect labels and apply appropriate protections.

Data loss prevention (DLP) systems can use labels on data to determine the appropriate controls to apply to the data.

Question 67

What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water?

Answer 67

Preaction

A preaction fire suppression system activates in two steps.

The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.

Question 68

Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement?

Answer 68

Heartbeat sensor

Heartbeat sensors send periodic status messages from the alarm system to the monitoring center.

Question 69

Which one of the following fire suppression systems uses a suppressant that is no longer manufactured due to environmental concerns?

Answer 69

Halon

Halon fire suppression systems use a chlorofluorocarbon (CFC) suppressant material that was banned in the Montreal Protocol because it depletes the ozone layer

Question 70

Which one of the following humidity values is within the acceptable range for a data center operation?

Answer 70

Data center humidity should be maintained between 40% and 60%.

Values below this range increase the risk of static electricity, while values above this range may generate moisture that damages equipment.

Question 71

What protocol is used to handle vulnerability management data?

Answer 71

The Security Content Automation Protocol (SCAP) is a community sourced specification for security flaw and security configuration information and is defined in NIST

Question 72

Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, as well as how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?

Answer 72

CVSS

The Common Vulnerability Scoring System (CVSS)

includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, as well as a means to score vulnerabilities against users’ unique requirements.

Question 73

When a Windows system is rebooted, what type of log is generated?

Answer 73

Information

Rebooting a Windows machine results in an information log entry.