Chapter 7 - Security Operations Flashcards

1
Q

In the even of a security incident, one of the primary objectives of operations staff is to ensure that: A. the attackers are detected and stopped B. there is minimal disruption to the organization’s mission C. appropriate documentation about the event is maintaqined as chain of evidence D. the affected systems are immediately shut off to limit to the impact

A

B. there is minimal disruption to the organization’s mission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Assuming a working IDS is in place, which of the following groups is best capable of stealing sensitive information due to the abscence of system auditing? A. Malicious software B. Hacker or cracker C. Disgruntled employee D. Auditors

A

C. Disgruntled employee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following provides controlled and un-intercepted interfaces into privliged user functions? A. Ring protection B. Anti-malware C. Maintenance hooks D. Trusted paths

A

D. Trusted paths

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The doors of a data center spring open in the event of a fire. This is an example of A. Fail-safe B. Fail-secure C. Fail-proof D. Fail-closed

A

A. Fail-safe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following ensures constant redundancy and fault tolerance? A. Cold spare B. Warm spare C. Hot spare D. Archives

A

C. Hot spare

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If speed is preferred over resilience, which of the following raid configuration is the best choice? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10

A

A. RAID 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Updating records in multiple locations or copying an entire database to a remote location as a means to ensure the appropriate levels of fault tolerance and redundancy is known as A. Data mirroring B. Shadowing C. Back up D. Archiving

A

B. Shadowing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When the backup window is not long enough to backup all of the data and sthe restoration of backup must be as fast as possible, which of the following types of high-availability backup strategy is best? A. Full B. Incremental C. Differential D. Increase the backup window so a full backup can be performed

A

C. Differential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

At a restricted facility, visitors are requested to provide identification and verified against a pre-approved list by the guard at the front gate before being let in. This is an example of checking for: A. Least privilege B. Separation of duties C. Fail-safe D. Psychological acceptability

A

A. Least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The major benefit of information classification is to: A. map out the computing ecosystem B. identify the threats and vulnerabilities C. determine the software baseline D. identify the appropriate level of protection needs

A

D. identify the appropriate level of protection needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When sensitive information is no longer critical but still within scope of a record retention policy, that information is best: A. Destroyed B. Re-categorized C. Degaussed D. Released

A

B. Re-categorized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The main benefit of placing users into groups and roles is: A. ease of user administration B. Increased security C. Ease of programmatic access D. Increased automation

A

A. ease of user administration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following best determines access and suitability of an individual? A. job rank and title B. partnership with the security team C. role D. background investigation

A

D. background investigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Reports must be specific on both the message and which of the following? A. Intended audience B. Delivery options C. Colors used D. print layout

A

A. Intended audience

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following can help with ensuring that only the needed logs are collected for monitoring? A. clipping level B. Aggreagation C. XML Parsing D. Inference

A

A. clipping level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The main difference between a Security Event Information System and a log management system is that SEIM systems are usefull for log collection, collation and analysis: A. real time B. for historical purposes C. for admissibility in court D. in discerning patterns

A

A. real time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When normal traffic is flagged as an attack, it is an example of: A. Fail-safe B. Fail-secure C. False-negative D. False-positive

A

D. False-positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The best way to ensure that there is not data remance of sensitive information that was once stored on a dvd-r media is by: A. Deletion B. Degaussing C. Destruction D. Overwriting

A

C. Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following processes is concerned with not only identifying and addressing the root cause but also addressing the underlying issue: A. Incident management B. Problem management C. Change management D. Configuration management

A

B. Problem management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Before applying a software update tp production systems, it is most important that: A. full disclosure information about the threat that the patch addresses is available B. The patching process is documented C. The production systems are backed up D. An independent third party attests the validity of the patch

A

C. The production systems are backed up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Least privilege

A

no more access than necessary to perform a job

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

need to know

A

defines the minimum for least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Privilieged accounts

A

root/builtin adminstrator accounts; service accounts; administrator accounts, and power user accounts

24
Q

system administrator

A

highest level of privilege on most systems, managing systems operations and maintenance

25
operators
typically were mainframe system users, schedule jobs to run effectively and troubleshoot problems, load/unload tapes and result of job print runs, reassignment of ports and lines
26
security administrator
oversight for security operations, acct managment, assignment of labels, system security settings and review of audit logs
27
job rotations
reduce the risk of collusion of activities between individuals - also provides back up coverage, succession planning, and job enrichment opportunities
28
information classification
group similar assets together and protect them based on common classification levels
29
marking
labels should have sensitivity marking, whether or not encrypted, and maybe point of contact and retention period
30
magnetic media
floppy disks, tapes, hard drives
31
optical media
cd. dvd
32
solid state media
flash drive and memory cards
33
hard copy
paper, microfiche
34
original media
should be controlled thru a software librarian
35
inventory scans of installed software
should be conducted to identify unauthorized installations or license violations
36
IDS
maybe deployed out of band - will not affect processes or cause latency, but attacks will likely reach their intended target
37
IPS
in-line, cause some latency and slow down processes, but affected attacks will not likely reach their intended target
38
signature or pattern matching systems
matches known attacks
39
protocol anomaly based systems
network traffic confirms to the defined standard for that protocol
40
statistical anomaly based system
establish baseline, detect deviations
41
Security Event Information Management (SEIM)
provides common platform for log collection, collation, and analysis in real-time to allow for more effective and efficient response
42
containment strategy
need to preserve forensic evidence, availability of services, damage leaving affected component in place, time required for containment strategy to be efective, resources needed to contain
43
forensic evidence
obtain image of ram and hard drive, then determine how to mitigate
44
US COmputer Emergency Readiness Team (US-CERT)
Government agaencies must report breach of PII within an hour of discovery
45
configuration management
process of identifying and dcoumenting hardware components, software, and the associated settings
46
Fail-safe
focus on failing with a minimum of harm to personnel or systems
47
Fail-secure
focus on failing in a controlled manner to block access while the system is in an inconsistent state
48
NAS
simply store and serve files
49
SAN
block level storage
50
RAID 0
stripes across multiple disks without parity, fast reading, no redundancy
51
RAID 1
Creates two indentical drives - data mirroring
52
RAID 2
not used in practice - data spread across at bit level
53
RAID 3/4
Strioing and redundancy in form of parity drive - RAID 3 - byte level - more efficient, RAID 4 - block level - faster
54
RAID 5
Like RAID4 but parity is striped
55
RAID 6
2 sets of parity, allows for failure of 2 drives, less performance, not frequently used
56
Electronic vaulting
backing up system over network - separate location (vault site), sent in real time when implemented as a mirror
57
Journaling
provides redundancy for transactions