Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Chapter 14: Incident Management > Flashcards

Chapter 14: Incident Management Flashcards

1
Q

What is an incident?

A

Any event that has a negative effoct on the confidentiality, availability, or integrity or an organization’s assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a computer security incident?

A

An incident that is the result of an attack or the malicous or intentional actions of users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does NIST SP 800-61 define a computer security incident?

A

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the steps of incident response?

A 
Detection
Response
Reporting
Recovery
Remediation and Review
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List the ways in which an incident might be detected.

A

IDS/IPS systems send an alert
AV software displays a popup window
Automated tools scanning audit logs to send an alert when an event occurs
End users report problems such as inability to access a network resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What should the first step after indicent detection be?

A

Contain the incident, for example, unplug the NIC but don’t turn the system off.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a CIRT or CSIRT?

A

A designated incident reponse team. Computer Incident Response Team. S == Security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What improves your chances of limiting incident damage?

A

Faster response time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What should you do after containing a security incident?

A

Investigate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are requirements for incident reporting?

A

There can be many. Many jurisdictions have reporting requirements if PII is compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Why are many incidents not properly reported?

A

Training. People aren’t trained properly to recognize them as incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Why is finger pointing bad?

A

It takes focus away from fixing the problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What should the end result of remediation and review?

A

Often, a report by the C(S)IRT that may recommend changing procedures, adding security controls, or changing policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

List the basic preventative measures to prevent attacks.

A

Keep systems and applications up to date
Remove or disable unneeded services and protocols
Use up-to-date antivirus software
Use firewalls
USe intrusion detection and prention systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is malicous code?

A

Any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a drive-by-download?

A

Code downloaded and installed on a user’s sytem without the user’s knowledge. Occurs when the user visits an intended web page.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a zero-day exploit?

A

An atatck on a system exploiting a vulnerability that is unknown to others.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a denial of service attack?

A

Atacks that prevent a system from processing or responding to legitimate traffic or requests for resources and objects.

19
Q

What is a SYN flood attack?

A

A common DoS attack that abuses the three way TCP handshake. Multiple SYNs are sent, but never acknowledged leaving half-open connections.

20
Q

List tools that can perform a SYN flood

A

Trinoo, TFN, LOIC

21
Q

What is a smurf attack?

A

A flood attack that floods the victim w2ith ICMP echo packets. It’s a spoofed broadcast ping that results in responses being sent to the target.

22
Q

What is Ping of Death?

A

An oversized ping packet > 64 KB. Vulnerable systems crash when they receive the packet.

23
Q

What is war dialing?

A

Using a modem to search for a system taht accepts inbound connection attempts.

24
Q

What is an intrusion?

A

An attacker successfully bypassing or thwarting security mechanisms and gaining access to an orgamization’s assets.

25
Q

What is intrusion detection?

A

A specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.

26
Q

What is an IDS?

A

An intrusion detection system. Automates log monitoring and real-time event monitoring.

27
Q

What is knowledge based detection?

A

Signature or patten matching detection. Most common method

28
Q

What is behavior based detection?

A

Statistical or anomaly based detection. Creates a baseline of normal activities and watches for anomalies.

29
Q

What is the primary drawback of behavior based IDS?

A

Often raises a high number of false positives.

30
Q

What are the two types of IDS response?

A

Active and passive

31
Q

What is active IDS response?

A

Modifying the environment, for example modifying ACLs to block traffic, disabling communication on a segment, etc.

32
Q

What is passive IDS response?

A

Sending notifications to administrators (email, pager, popup).

33
Q

What is a host based IDS?

A

An IDS that monitors a single host, including processes cals, information recorded in logs. Often more detailed than NIDS.

34
Q

What is a network based IDS?

A

One that monitors a network by monitoring network patterns.

35
Q

What is the benefit of a host based intrustion detection system over network?

A

It can often detect anomalies that wouldn’t be visible on the network.

36
Q

What is the difference between an IDS and IPS?

A

An IPS is inline with the network traffic, where an IDS is not.

37
Q

What is a pseudo-flaw?

A

A false vulnerability or apparent loophole implated intentionally to tempt hackers.

38
Q

What is a padded cell?

A

Similar to a honeypot, it isolates intruders in an environment that looks like the actual target.

39
Q

What is a darknet?

A

A portion of an allocated IP range that isn’t used. Includes one device to capture all traffic into the darknet. Any traffic on the darknet is by definition malicious or suspect.

40
Q

What are the goals of penetration testing?

A

Determine how well a system can tolerate attack
Identify employees’ ability to detect and respond to attacks in real time
Identify additional controls that can be implemtented to reduce risk.

41
Q

What are the different types of penetration testing?

A

black box testing by a zero knowlege team
White box testing by a full knowledge team
Gray box testing by a partial knowledge team

42
Q

Why should the regular security staff not be used for penetration testing?

A

They often have blind spots or gaps in their understanding, estimation or capabilities with certain security subjects. If they knew about a vulnerability, they’d have fixed it already.

43
Q

What problems should pen test teams fix?

A

None. Ever.

CISSP (22 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions