CISSP ch 17

Question 1

Incident

Answer 1

any event that has a negative effect on the confidentiality, integrity or availability of an organization’s assets

Question 2

security incident

Answer 2

an incident that is the result of an attack or the result of malicious or intentional actions on the part of users

Question 3

Incident management steps (7)

Answer 3

Detection

Response

Mitigation

Reporting

Recovery

Remediation

Lessons learned

Question 4

CIRT or CSIRT

Answer 4

Computer incident response team

Computer security incident response team

the designated incident response team

Question 5

Preventive control

Answer 5

attempts to thwart or stop unwanted or unauthorized activity from occurring

E.g., fences, locks, biometrics, separation of duties policies, job rotation policies, data classification, access control methods, encryption, smart cards, callback procedures, security policies, security awareness training, antivirus software, firewalls and intrusion preventions systems

Question 6

Detective control

Answer 6

attempts to discover or detect unwanted or unauthorized activity; operate after the fact

E.g., security guards, motion detectors, recording and reviewing events captured by security cameras or closed circuit television (CCTV), job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection systems, violation reports, supervision and reviews of users and incident investigations

Question 7

C2 server / C&C

Answer 7

command and control server (botnet)

Question 8

DRDoS

Answer 8

distributed reflective denial-of-service = uses a reflected approach to an attack; doesn’t attack the victim directly but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources

E.g., DNS poisoning attacks, smurf attacks and fraggle attacks

Question 9

SYN flood attack

Answer 9

a common DoS attack = disrupts the standard three-way handshake used by the Transmission Control Protocol (TCP) to initiate the communication sessions = attackers send multiple SYN packets but never complete the connection with an ACK

Question 10

TCP reset attack

Answer 10

spoofing the source IP address in a RST packet (reset) to disconnect active sessions

Question 11

Smurf attack

Answer 11

another type of flood attack, but it floods the victim with Internet Control Message Protocol (ICMP) each packets instead of with TCP SYN packets = a spoofed broadcast ping request using the IP address of the victim as the source IP address

Question 12

fraggle attack

Answer 12

similar to smurf attacks, but instead of using ICMP, uses UDP packets over UDP ports 7 and 19 = will broadcast a UDP packet using the spoofed IP address of the victim, all systems on the network will then send traffic to the victim

Question 13

Ping flood attack

Answer 13

floods a victim with ping requests (e.g., sent from a botnet)

Question 14

MiTM attack

Answer 14

man-in-the-middle attack = on-path attack

Question 15

IDS

Answer 15

Intrusion detection system = automates the inspection of logs and real-time system events to detect intrusion attempts and system failures

Question 16

IDPS

Answer 16

Intrusion detection and prevention system

Question 17

IPS

Answer 17

Intrusion prevention system = placed inline with traffic

Question 18

Knowledge/signature based detection

Answer 18

pattern-matching detection = uses signatures similar to the signature definitions used by antimalware software

Low false positive rate

Only effective against known attack methods

Question 19

Behavior based detection

Answer 19

statistical intrusion detection = anomaly detection = heuristics-based detection = doesn’t use signatures, instead compares activity against baseline of normal performance to detect abnormal behavior

Question 20

NOCs

Answer 20

network operations centers

a centralized location where computer, telecommunications, or satellite networks systems are monitored and managed 24x7

Question 21

HIDS

Answer 21

host-based IDS = monitors a single computer or host

Question 22

NIDS

Answer 22

network-based IDS = monitors a network by observing network traffic patterns

Question 23

SIEM

Answer 23

security information and event management

Question 24

SPAN port

Answer 24

Switched Port Analyzer port = port used for port mirroring (mirroring all traffic on the switch)

Question 25

RARP

Answer 25

Reverse Address Resolution Protocol = used by a NIDS to discover the source of an attack

Question 26

NIPS

Answer 26

network-based IPS

Question 27

Pseudo-flaws

Answer 27

false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers

Question 28

IANA

Answer 28

Internet Assigned Numbers Authority = maintains a list of well-known ports matched to protocols

Question 29

WAF

Answer 29

web application firewall

Question 30

NGFW

Answer 30

next generation firewall

Question 31

UTM

Answer 31

unified threat management

Question 32

Security logs

Answer 32

Record access to resources such as files, folders, printers and so on

Question 33

System logs

Answer 33

Record system events such as when a system starts or stops, when services start or stop, or when service attributes are modified

Question 34

Application logs

Answer 34

Record information for specific applications

Question 35

Firewall logs

Answer 35

Record events related to any traffic that reaches a firewall

Includes traffic that the firewall allows and traffic that the firewall blocks

Commonly log packet information such as source and destination IP addresses and source and destination ports but not the packets’ actual contents

Question 36

Proxy logs

Answer 36

Record details such as what sites specific users visit and how much time they spend on these sites

Record when users attempt to visit known prohibited sites

Question 37

Change logs

Answer 37

Record change requests, approval and actual changes to a system as a part of an overall change management process

Question 38

FIPS 200

Answer 38

Minimum Security Requirement for Federal Information and Information Systems

Question 39

NTP

Answer 39

Network Time Protocol = used to ensure that logs have accurate timestamps

Question 40

SIEM tools

Answer 40

(security information and event management) tools

Provide centralized logging and real-time analysis of events occurring on systems throughout an organization

Question 41

Syslog protocol

Answer 41

used to send event notification messages

Defined in RFC 5424

A centralized syslog server receives syslog messages from devices on a network

The protocol defines how to format the messages and how to send them to the syslog server but not how to handle them

Historically been used in Unix and Linux systems

Question 42

syslog daemon

Answer 42

handles all incoming syslog messages, similar to how a SIEM server provides centralized logging

Question 43

clipping

Answer 43

a form of nonstatistical sampling; selects only events that exceed a clipping level, which is a predefined threshold for the event

Question 44

traffic / trend analysis

Answer 44

network flow monitoring = forms of monitoring that examine the flow of packets rather than actual packet contents

Question 45

rollover / circular logging

Answer 45

log cycling = allows administrators to set a maximum log size; when the log reaches that size, the system begins overwriting the oldest events in the log

Question 45

DLP techniques

Answer 45

data loss prevention techniques = used to detect or prevent data exfiltration

Question 46

Digital watermark

Answer 46

a secretly embedded marker in a digital file, doesn’t work if file is encrypted

Question 47

SOAR

Answer 47

Security orchestration, automation and response = a group of technologies that allow organizations to respond to some incidents automatically

Question 48

Playbook and Runbook

Answer 48

Playbook = a document or checklist that defines how to verify an incident and to respond

Runbook = implements the playbook data into an automated tool

Question 49

Cyber Kill Chain

Answer 49

created by Lockheed Martin)

Reconnaissance: Attackers gather information on the target

Weaponization: Attackers identify an exploit that the target is vulnerable to, along with methods to send the exploit

Delivery: Attackers send the weapon to the target via phishing attacks, malicious email attachments, compromised websites, or other common social engineering methods

Exploitation: The weapon exploits a vulnerability on the target system

Installation: Code that exploits the vulnerability then installs malware, the malware typically includes a backdoor, allowing the target to access the system remotely

Command Control: Attackers maintain a command and control system, which controls the target and other compromised systems

Actions on objectives: Attackers execute their original goals such as theft of money, theft of data, data destruction or installing additional malicious code such as ransomware

Question 50

TTPs

Answer 50

tactics, techniques and procedures

Question 51

Threat feed and threat intelligence feed

Answer 51

Threat feed = a steady stream of raw data related to current and potential threats

Threat intelligence feed = attempts to extract actionable intelligence from the raw data = examples of information:

Suspicious domains

Known malware hashes

Code shared on internet sites

IP addresses linked to malicious activity

Question 52

threat hunting

Answer 52

process of actively searching for cyber threats in a network