Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Chapter 7- Security Operations > Flashcards

Chapter 7- Security Operations Flashcards

1
Q

Which of the following is the best response after detecting and verifying an incident?

A) Contain it
B) Report it
C) Remediate it
D) Gather evidence

A

A) Contain it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q 
Which of the following would security personnel do during the remediation stage? 
A) Contain the incident
B) Collect evidence 
C) Rebuild system
D) Root Cause Analysis
A

D) Root cause analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q 
Of the following choices, which of the following is the most common method of distributing malware? 
A) Drive-by-downloads
B) USB flash drives
C) Ransomware
D) Unapproved software
A

A) Drive-by-downloads

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the end goal of disaster recovery?
A) Preventing business interruptions
B) Setting up temporary business operations
C) Restoring normal business activity
D) Minimizing the impact of a disaster

A

C) Restore normal business activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the term “100 year floor plain” mean to emergency preparedness officials”
A) The last flood of any kind to hit the area was more than 100 years ago.
B) The odds of a flood at this level are 1 in 100 in any given year
C) The area is expected to be safe from flooding for at least 100 years
D) The last significant flood to hit the area was more than 100 years ago.

A

B) The odds of a flood at this level are 1 in 100 in any given year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q 
Which one of the following trusted recovery types does not fail into a secure operating state? 
A) Manual recovery 
B) Automate Recovery
C) Automated recovery without undue loss
D) Function recovery
A

A) In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q 
Scott would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command and control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers? 
A) Netflow records
B) IDS logs
C) Authentication logs
D) RFC logs
A

A) Netflow records contain an entry for every network communication session that took place and can be compared to a list of known malicious hosts. IDS logs contain a relevant record, but it is less likely because they would only create log entries if the traffic triggers the IDS, opposed to netflow records, which encompass all communications. Authentication and RFC logs would not records of any network traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q 
Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply? 
A) Least privilege 
B) Defense in depth 
C) Security through obscurity
D) Two-person control
A

D) Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least priv and defense in depth, but these principles apply to all operations are not specific to sensitive operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q 
Which of the following terms is often used to describe a collection of unrelated patches released in a large collection? 
A) Hotfix
B) Update
C) Security fix
D) Service pack
A

D) Hofixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which one of the following tasks is performed by a forensic disk controller?
A) Masking error conditions reported by the storage device
B) Transmitting write commands to the storage device
C) Intercepting and modifying or discarding commands sent to the storage device
D) Preventing data from being returned by a read operation sent to the device.

A

C) Forensic disc controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following would normally be considered an example of a disaster when performing disaster recovery planning?

1) Hacking incident
2) Flood
3) Fire
4) Terrorism

A) 2 and 3
B) 1 and 4
c) 2,3, and 4
d) All of the above

A

D) A disaster is any event that can disrupt normal IT operations and can be either natural or manmade. Hacking and terrorism are examples of manmade disasters, while flooding and fire are examples of natural disasters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q 
Which one of the following is not an example of  backup tape rotation scheme? 
A)Grandfather/Father/Son
B) Meet in the middle 
C) Tower of Hanoi 
D) Six cartridge weekly
A

B) Grandfather/father/son, tower of hanoi, and six cartridge weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns.
Meet in the middle is a crytographic attack against 2DES encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q 
Which one of the following security tools is not capable of generating an active response to a security event? 
A) IPS
B) Firewall
C) IDS
D) Antivirus software
A

C) Intrusion detection systems provide only passive responses, such as alerting admins to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q 
What term is used to describe the default set of privileges assigned to a user when a new account is created? 
A) Aggregation 
B) Transitivity 
C) Baseline 
D) Entitlement
A

D) Entitlement refers to the privileges granted to users when an account is first provisioned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q 
Florian is building a DR plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating 
A) RTO 
B) MTD
C) RPO 
D) SLA
A

B) The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damages to the organization. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The recovery point objective (RPO) identifies the maximum of dat, that may be lost during a recovery effort. Service level agreements are written contracts that document service expectation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q 
Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach,  an automated process will move database backups from the primary facility to an offsite location each night. What type of data base recovery technique is the consultant describing? 
A) Remote Journaling
B) Remote mirroring 
C) Electronic vaulting
D) Transaction logging
A

C) In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis , typically daily. Transaction logging is not a reocvery technique alonog; it is a process for generating logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

17
Q 
Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident? 
A) NIDS
B) Firewall
C) HIDS
D) DLP
A

C) A Hhost-based intrusion detection system (HIDS) may be able to detect unauthorized processes running ona system. The other controls mentioned, NIDS, firewalls, and DLP ssystems are network-based and may not notice rogue processes.

18
Q 
During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?
A) Detection 
B) Response 
C) Mitigation 
D) Recovery
A

C) The mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident . This includes liming the scope and or effectiveness of the incident

19
Q 
What is typically considered the shortest effective length of a mandatory vacation? 
A) Two days
B) Four days
C) One week
D) One month
A

MOst security professionals recommend at least one, and preferably two, weeks of vacation to deter fraud.

20
Q

Which of the following events would constitute a security incident?
1) An attempted network intrusion
2) A successful database intrusion
3) A malware infection
4) A violation of a confidentiality policy
5) An unsuccessful attempt to remove information from a secured area
A) 2,3,and 4
B) 1,2,and 3
C) 4 and 5
D) All of the above

A

D) Any attempts to undermine the security of an organization or violation of a security policy is an incident. Each of the events described meets this definition and should be treated as an incident.

21
Q

Which one of the following traffic types should not be blocked by an organization’s egress filtering policy?
A) Traffic destined to a private IP address
B) Traffic with a broadcast destination
C) Traffic with a source address from an external network
D) Traffic with a destination address on an external network

A

D) Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.

22
Q

You are performing an investigation into a potential bot infection on your network and wish to perform a forensic analysis of the information that passed between different systems on your network and those on the internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?

A) Packet captures
B) Netflow data
C) Intrusion detection system logs
D) Centralized authentication records

A

B) Netflow data contains information on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity. Packet capture data would provide relevant information, but it must be capture during the suspicious activity and cannot be recreated after the fact unless the organization is already conducting 100 percent packet capture which is very rare. Additionally, the use of encryption limits the effectiveness of packet capture. IDS system logs would not likely contain relevant info. because the encrypted traffic would probably not match intrusion signatures. Centralized authentication records would not contain information about network traffic.

23
Q 
During which phase of the incident response would an analyst receive an intrusion detection system alert and verify its accuracy? 
A) Response
B) Mitigation 
C) Detection 
D) Reporting
A

C) Both the receipt of alerts and verification of their accuracy occur during the detection phase of the incident response process.

24
Q 
In what virtualization model do full guest operating systems run on top of a virtualization platform? 
A) Virtual machines
B) Software-defined networking
C) Virtual SAN
D) Application virtualization
A

A) Virtual machines run full guest operating systems on top of a host platform known as the hypervisor.

25
Q 
An outside entity is attempting to connect to all systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in? 
A) FTP scanning
B) Telnet scanning
C) SSH scanning
D) HTTP scanning
A

C) SSH uses TCP port 22, so this attack is likely an attempt to scan for open or weakly secured SSH SSH servers. FTP uses ports 20 and 21. Telnet uses port 23, and HTTP uses port 80

26
Q 
What level of RAID is also known as disk mirroring? 
A) RAID-0 
B) RAID-1
C) RAID 5
D) Raid 10
A

B) RAID 1 is also known as disk mirroring. RAID-0 is called disc striping. RAID 5 is called disc striping with parity RAID 10 is known as a stripe of mirrors

27
Q

Scott is a firewall admin for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, he checked the intrusion detection system, which reported that a SYN flood attack was under way. What firewall configuration change can Scott make to most effectively prevent this attack?
A) Block SYN from known IPs
B) Block SYN from unknown IPS
C) Enable SYN-ACK spoofing at the firewall
D) Disable TCP

A

C) While it may not immediately seem like the obvious answer, many firewalls have a built-in anti-syn flood defense that responds to SYNs on behalf of the protected systems. Once the remote system proves to be a legitimate connection by continuing a 3 way handshake, the rest of the TCP session is passed through. If the connection proves to be an attack, the firewall handles the additional load using appropriate mitigation techniques. Blocking SYNs from known or unknown IP addresses is likely to cause issues with systems that should be able to connect, and turning off TCP will break most modern network services.

28
Q

John Industries recently got into a dispute with a customer. During a meeting with his account rep, the customer stood up and declared, “there is no other solution. We will have to take this matter to court.” He then left the room. When does John industries have an obligation to begin preserving evidence?

A) Immediately
B) Upon receipt of a notice of litigation from opposing attorneys
C) Upon receipt of a subpoena
D) Upon receipt of a court order

A

A) Companies have an obligation to preserve evidence whenever they believe the threat of litigation is imminent. The state made by this customer that “we will have to take this matter to court” is a clear threat of litigation and should trigger the preservation of any related documents and records.

29
Q 
What legal protection prevents law enforcement agencies from from searching a facility or electronic system without either probable cause or consent? 
A) First amendment 
B) Fourth amendment 
C) Fifth amendment 
D) Fifteenth amendment
A

B) The fourth amendment states, in part ,”that the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures, shall not be violated, and no warrants shall issue but upon probable cause , supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The first amendment contains protections related to freedom of speech. The 5th amendment ensures that no person will be required to serve as a witness against themselves. The fifteenth amendment protects the voting rights of citizens.

30
Q

Scott is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor requests that Scott give testimony in court about whether, in his opinion, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Scott being asked to provide?

A) Expert opinion
B) Direct evidence
C) Real evidence
D) Documentary evidence

A

A) Expert opinion evidence allows individuals to offer their opinions based upon the facts in evidence and their personal knowledge. Expert opinion is evidence may be offered only if the court accepts the witness as an expert in a particular field. Direct evidence is when witnesses testify about their direct observations. Real evidence consists of tangible items brought into court as evidence. Documentary evidence consists of written records used as evidence in court.

31
Q

Which of the following techniques is not commonly used to removed unwanted remnant data from magnetic tapes?

A) Physical destruction
B) Degaussing
C) Overwriting
D) Reformatting

A

D) The standard methods for clearing magnetic tapes, according to the NIST guidelines for media sanitization are overwriting the tape with nonsensitive data, degaussing, and physical destruction via shredding or incineration. Reformatting a tape does not remove remnant data.

32
Q

John is conducting a forensic investigation and is reviewing database server logs to investigate query contents for evidence of SQL injection attacks. What type of analysis is he performing?

A) Hardware analysis
B) Software analysis
C) Network analysis
D) Media analysis

A

B) The analysis of application logs is one of the core tasks of software analysis. This is the correct answer because SQL injection attacks are application attacks.

33
Q

Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?

A) GNU Public License
B) Freeware
C) Open source
D) Public domain

A

D) If software is released into the public domain, anyone may use it for any purpose, without restriction. All other license types contain at least some level of restriction.

34
Q

What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of eletronic discovery when the benefits do not outweigh the costs?

A) Tool-assisted review
B) Cooperation
C) Spoilation
D) Proportionality

A

D) The benefits of additional discovery must be proportional to the additional costs they will require. This prevents additional discovery requests from becoming inordinately expensive, and the requester will typically have to justify these requests to the judge presiding over the case.

35
Q 
Scott wants to gather information about security settings as well as build an overall view of his organization's assets by gathering data about a group of Windows 10 work workstations spread throughout the company. What windows tool is best suited to this type of configuration management task? 
A) SCCM 
B) Group Policy 
C) SCOM 
D) A custom PowerShell script
A

A) System Center Configuration Manager (SCCM) provides this capability and is designed to allow administrators to evaluate the configuration status of Windows workstations and servers, as well as providing asset management data. SCOM is primarily used to monitor for health and performance, group policy can be used for a variety of tasks including deploying settings and software, and custom power shell scripts could do this but should not be required for a configuration check.

36
Q

James is responsible for disposing of disk drives that have been pulled from his company’s SAN as they are retired. Which of the following options should he avoid if the data on the SAN is considered highly sensitive by his organization?

A) Destroy them physically
B) Sign a contract with the SAN vendor that requires appropriate disposal and provides a certification process.
C) Reformat each drive before it leaves the organization.
D) Use a secure wipe tool like DBAN

A

C) Physical destruction, an appropriate contract with certification, and secure wiping are all reasonable options. In each case, a careful inventory and check should be done to ensure that each drive is handled appropriately. Reformatting drives can leave remnant data making this data lifecyle choice for drives that contain sensitive data.

37
Q

Staff from John’s company often travel internationally. John believes that they may be targeted for corporate espionage activities because of the technologies that his company is developing. What practice should John recommend that they adopt for connecting to networks while they travel?

A) Only connect to public Wi-Fi
B) Use a VPN for all connections
C) Only use websites that support TLS
D) Do not connect to networks while traveling

A

B) While it may be tempting to tell his staff to simply not connect to any network, John knows that they will need connectivity to do their work. Using a VPN to connect their laptops and mobile devices to a trusted network and ensuring that all traffic is tunnled through VPN is the best bet to secure their internet usage. Scott al

CISSP (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions