Chapter 7 - Security Operations Flashcards
In the even of a security incident, one of the primary objectives of operations staff is to ensure that: A. the attackers are detected and stopped B. there is minimal disruption to the organization’s mission C. appropriate documentation about the event is maintaqined as chain of evidence D. the affected systems are immediately shut off to limit to the impact
B. there is minimal disruption to the organization’s mission
Assuming a working IDS is in place, which of the following groups is best capable of stealing sensitive information due to the abscence of system auditing? A. Malicious software B. Hacker or cracker C. Disgruntled employee D. Auditors
C. Disgruntled employee
Which of the following provides controlled and un-intercepted interfaces into privliged user functions? A. Ring protection B. Anti-malware C. Maintenance hooks D. Trusted paths
D. Trusted paths
The doors of a data center spring open in the event of a fire. This is an example of A. Fail-safe B. Fail-secure C. Fail-proof D. Fail-closed
A. Fail-safe
Which of the following ensures constant redundancy and fault tolerance? A. Cold spare B. Warm spare C. Hot spare D. Archives
C. Hot spare
If speed is preferred over resilience, which of the following raid configuration is the best choice? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10
A. RAID 0
Updating records in multiple locations or copying an entire database to a remote location as a means to ensure the appropriate levels of fault tolerance and redundancy is known as A. Data mirroring B. Shadowing C. Back up D. Archiving
B. Shadowing
When the backup window is not long enough to backup all of the data and sthe restoration of backup must be as fast as possible, which of the following types of high-availability backup strategy is best? A. Full B. Incremental C. Differential D. Increase the backup window so a full backup can be performed
C. Differential
At a restricted facility, visitors are requested to provide identification and verified against a pre-approved list by the guard at the front gate before being let in. This is an example of checking for: A. Least privilege B. Separation of duties C. Fail-safe D. Psychological acceptability
A. Least privilege
The major benefit of information classification is to: A. map out the computing ecosystem B. identify the threats and vulnerabilities C. determine the software baseline D. identify the appropriate level of protection needs
D. identify the appropriate level of protection needs
When sensitive information is no longer critical but still within scope of a record retention policy, that information is best: A. Destroyed B. Re-categorized C. Degaussed D. Released
B. Re-categorized
The main benefit of placing users into groups and roles is: A. ease of user administration B. Increased security C. Ease of programmatic access D. Increased automation
A. ease of user administration
Which of the following best determines access and suitability of an individual? A. job rank and title B. partnership with the security team C. role D. background investigation
D. background investigation
Reports must be specific on both the message and which of the following? A. Intended audience B. Delivery options C. Colors used D. print layout
A. Intended audience
Which of the following can help with ensuring that only the needed logs are collected for monitoring? A. clipping level B. Aggreagation C. XML Parsing D. Inference
A. clipping level
The main difference between a Security Event Information System and a log management system is that SEIM systems are usefull for log collection, collation and analysis: A. real time B. for historical purposes C. for admissibility in court D. in discerning patterns
A. real time
When normal traffic is flagged as an attack, it is an example of: A. Fail-safe B. Fail-secure C. False-negative D. False-positive
D. False-positive
The best way to ensure that there is not data remance of sensitive information that was once stored on a dvd-r media is by: A. Deletion B. Degaussing C. Destruction D. Overwriting
C. Destruction
Which of the following processes is concerned with not only identifying and addressing the root cause but also addressing the underlying issue: A. Incident management B. Problem management C. Change management D. Configuration management
B. Problem management
Before applying a software update tp production systems, it is most important that: A. full disclosure information about the threat that the patch addresses is available B. The patching process is documented C. The production systems are backed up D. An independent third party attests the validity of the patch
C. The production systems are backed up
Least privilege
no more access than necessary to perform a job
need to know
defines the minimum for least privilege
Privilieged accounts
root/builtin adminstrator accounts; service accounts; administrator accounts, and power user accounts
system administrator
highest level of privilege on most systems, managing systems operations and maintenance
operators
typically were mainframe system users, schedule jobs to run effectively and troubleshoot problems, load/unload tapes and result of job print runs, reassignment of ports and lines
security administrator
oversight for security operations, acct managment, assignment of labels, system security settings and review of audit logs
job rotations
reduce the risk of collusion of activities between individuals - also provides back up coverage, succession planning, and job enrichment opportunities
information classification
group similar assets together and protect them based on common classification levels
marking
labels should have sensitivity marking, whether or not encrypted, and maybe point of contact and retention period
magnetic media
floppy disks, tapes, hard drives
optical media
cd. dvd
solid state media
flash drive and memory cards
hard copy
paper, microfiche
original media
should be controlled thru a software librarian
inventory scans of installed software
should be conducted to identify unauthorized installations or license violations
IDS
maybe deployed out of band - will not affect processes or cause latency, but attacks will likely reach their intended target
IPS
in-line, cause some latency and slow down processes, but affected attacks will not likely reach their intended target
signature or pattern matching systems
matches known attacks
protocol anomaly based systems
network traffic confirms to the defined standard for that protocol
statistical anomaly based system
establish baseline, detect deviations
Security Event Information Management (SEIM)
provides common platform for log collection, collation, and analysis in real-time to allow for more effective and efficient response
containment strategy
need to preserve forensic evidence, availability of services, damage leaving affected component in place, time required for containment strategy to be efective, resources needed to contain
forensic evidence
obtain image of ram and hard drive, then determine how to mitigate
US COmputer Emergency Readiness Team (US-CERT)
Government agaencies must report breach of PII within an hour of discovery
configuration management
process of identifying and dcoumenting hardware components, software, and the associated settings
Fail-safe
focus on failing with a minimum of harm to personnel or systems
Fail-secure
focus on failing in a controlled manner to block access while the system is in an inconsistent state
NAS
simply store and serve files
SAN
block level storage
RAID 0
stripes across multiple disks without parity, fast reading, no redundancy
RAID 1
Creates two indentical drives - data mirroring
RAID 2
not used in practice - data spread across at bit level
RAID 3/4
Strioing and redundancy in form of parity drive - RAID 3 - byte level - more efficient, RAID 4 - block level - faster
RAID 5
Like RAID4 but parity is striped
RAID 6
2 sets of parity, allows for failure of 2 drives, less performance, not frequently used
Electronic vaulting
backing up system over network - separate location (vault site), sent in real time when implemented as a mirror
Journaling
provides redundancy for transactions
