CISSP Domain 7

Question 1

Incident management steps

Answer 1

Detect
Response - Severity of incident (CIRT)
Mitigate
Reporting
Recovery
Remediation
Lessons learned

Question 2

Primary goals of effective incident management

Answer 2

Limit effect or scope of an incident

Question 3

Recovery

Answer 3

Effective incident and configuration management

Question 4

Remediation

Answer 4

Perform RCA

Question 5

Botnets

Answer 5

Multiple bots in a network form a botnet and will do what attackers instruct to do

C&C

Question 6

DoS

Answer 6

So many data packets sent across to a server causing system to slow

Question 7

DDoS

Answer 7

When Multiple systems attack a single system at same time

Question 8

DRoS

Answer 8

Manipulates traffic or network device so that attacks are reflected back to the victim from other sources

Question 9

SYN flood

Answer 9

Doesn’t complete three way handshake

Doesn’t send ack hence gets flooded

Question 10

Smurf attack

Answer 10

Floods victim with ICMP echo packets instead of TCP SYN packets
Attacker send echo request out as a broadcast to all systems on networks to spoof the source IP address.

All these systems respond with with Echo replies to spoofed IP address

Question 11

Fraggle attack

Answer 11

Smurf attack instead of ICMP uses UDP

Question 12

Ping flood

Answer 12

Flood victims with ping requests

Question 13

Ping of death

Answer 13

Oversized ping packets

Question 14

Teardrop

Answer 14

Attack Fragmented data packets, making it too difficult to put it back by receiving system

Question 15

Land attack

Answer 15

Sends spoofed syn packets to a victim using victims IP address as both the source and destination IP address

Question 16

2 types of MiTM

Answer 16

Sniffing traffic between two parties

Store and forward proxy mechanism by sitting in between

Question 17

Types of IDS

Answer 17

knowledge based - IDS can have sensors or agents to monitor key devices , signature based

Behaviour based - Create a baseline to detect abnormal behaviour

Question 18

IDS response

Answer 18

Passive response- Notification can be sent to admins in email or text message

Dashboard type

Active Response: Modify environment using Firewall

Question 19

IDS types

Answer 19

Host based

Network based

Question 20

NIPS

Answer 20

Block an attack after it starts

Question 21

Honeypot and Honeynet

Answer 21

Enticement or decoy

Don’t make it entrapment

Honeynet - Two or more networked honeypots used together

Hosted on VM for easy re creation

Question 22

Firewall blocks

Answer 22

Router to block broadcast

Private IP address

Question 23

Sandboxing

Answer 23

Provides security boundary for apps and prevents the apps interacting with other apps

Question 24

Goal of logging and monitoring

Answer 24

To prevent incidents and provide effective response when they occur

Question 25

Common log types - Security

Answer 25

Security logs: Record access to resources such as files, folders , printers

Question 26

System logs

Answer 26

When system, service starts or stops

Question 27

Application logs

Answer 27

Application devoloper choose what to record in app logs

Question 28

What type of control are audit trails ?

Answer 28

Deterrent

Question 29

SIEM - Sampling

Answer 29

Data reduction to use precise mathematical functions to extract meaningful information from large volume of data

Question 30

Clipping levels

Answer 30

Non stastical sampling - Discretionary of the owner - Discretionary sampling

Predefined threshold for the event

Question 31

Rollover logging

Answer 31

Admins set maximum log size then over write the logs

Question 32

SOAR

Answer 32

Automated response to some incidents

Question 33

SOAR - Incident response methods

Answer 33

Playbook - What needs to be done if an incident occurs

Runbook - playbook data into an automated tool

Example: IDS implementing it

SOAR technologies will automatically deal with false positives based on runbook

Question 34

Difference between ML and AI ?

Answer 34

Reinforcement learning (Plays itself) Vs zero knowledge of the game

Seperate algorithm outside of AI system enforce rules

Behaviour based users ML to learn from false positives

AI starts without a baseline creates it’s own baseline based on traffic. It looks for anomalies

Question 35

Threat intelligence

Answer 35

Gathering data on potential threats

Question 36

Kill chain

Answer 36

Reconciance

Weaponization

Delivery

Exploitation

Installation

C&C

Actions on objectives

Question 37

MITRE attack

Answer 37

KB of TTP used by attackers in various attacks

Question 38

Threat feeds

Answer 38

Steady stream of raw data related to current and potential threats

Suspicious domains

Known malware hashes

Code shared on internet sites

IP addresses linked to malicious activity

Question 39

Threat hunting

Answer 39

Actively searching for cyber threats in networks basically IoC’s

Question 40

False negatives

Answer 40

When there is attack but IDS doesn’t detect and raise

Question 41

Igress and Egress monitoring

Answer 41

Monitoring incoming traffic

Monitoring outgoing traffic

Question 42

Fault tolerance

Answer 42

Primary goal of fault tolerance is to eliminate SPOF

Ability of system to suffer a fault but continue to operate

Achieved by RAID array or additional components with failover clustered configuration

Question 43

SPOF

Answer 43

Components which can cause entire system to fail

Question 44

System resilience

Answer 44

Ability is system to maintain an acceptable level of service during an adverse event

In some events ability of system to to return to previous stateafter an adverse event

Question 45

High availability

Answer 45

Use of redundant technology components to allow the system to quickly recover from a failure after expecting a brief disruption

Load balancing and failover servers

Question 46

Load balancing

Answer 46

Primary responsibility is to balance network traffic and handle more

But can sense the failure and stop sending traffic

Question 47

UPS and generator

Answer 47

Goal of UPS is to give power to 15-30 minutes so that you could logically shutdown system

Generator to provider power long enough

Question 48

Fail open vs fail secure state

Answer 48

Granting all access

Blocking all access

Choice should be based on security or availability

Question 49

Two elements of recovery process

Answer 49

1. Failure preparation: Systems resilience, fault tolerance, reliable back-up solution
2. System recovery: Restoration of all affected files and services actively in use on system at time of failure or crash

Question 50

Type of recovery

Answer 50

Manual
Automatic
Automated recovery with undue loss: Specific objects are protected to prevent their kids

Additionally you can rebuild data from transaction looks

Function recovery: Specific functions

Question 51

QoS

Answer 51

Protect availability of data network under loads

Bandwidth: N capacity to carry loads

Jitter : Variation in latency between packets

Latency: Time taken for travel from source to destination

Packet loss: Lost between source and destination

Interference: Noise , corruption of packets

Question 52

One of the goal of DRP

Answer 52

Restoration of work groups to the point they can resume their activities in their usual work locations

Question 53

Alternate processing sites

Answer 53

Cold site: Facility there but nothing more it might take a week or two get it running

Hot site : Expensive can be up and running

Warm site : Might take 12 hours there are some critical components
“ No lockout policy”

Mobile site: Any operating location it can be deployed on fly away basis

Best for workgroup

Question 54

Mutual assistance agreement

Answer 54

Two organisation assist each other in event of disaster

Concerns:

1. Same geography
2. Confidentiality
3. Refused to support

Question 55

Electronic vaulting

Answer 55

bulk transfer to a remote site

Stored in back up vaults on off-site

Question 56

Remote Journaling

Answer 56

Backup of Db transaction logs that occurred since previous bulk transfer

Question 57

Remote mirroring

Answer 57

A live DB is maintained at back up site
Remote server receives copy of database modifications at same time to production server

Question 58

Important point when it comes to checklist

Answer 58

Arrange checklist tasks in order of priority, with most important task first

Question 59

Backups and off site storage

Answer 59

Full backup - complete copy of data contained in the protected device

Incremental backup- Whatever data modified (store only those files) will be backed up at end of the day since last full back up

Deferential backup- * store All data/files* since the last full backup

Question 60

Difference between incremental and differential back-up

Answer 60

Time to restore data in event of emergency

Full+ Deferential - 2 recent backup files of these both

Full+ incremental - recent full+ all incremental since full backup

Deferential backup takes longer to create but lesser time to restore compared to incremental

Question 61

Software escrow agreement

Answer 61

Tool to protect against failure of a software developer to provide support for is products against possibility devloper going out of business and no tech support available

Question 62

Recovery Vs Restoration

Answer 62

Bringing business operations and processes back to working state

Bringing business facility and environment back to workable state

Question 63

Salvage team

Answer 63

To restore the company to full capabilities to begin their work

Question 64

Structured walk through

Answer 64

Structured walk though - Scenario based in large conference room role play a disaster scenario and then participants refer copies and discuss response to that

May involve interruption non critical business activities

Question 65

Stimulation test

Answer 65

Present scenario and response is asked to develop

Then response is tested

Question 66

Parallel test

Answer 66

Relocation of personnel to Alternate recovery site and implement site activation

Question 67

Full interruption test

Answer 67

Shutting down operations at primary site and shifting them to recovery site

Question 68

Redundant

Answer 68

Copy of duplicate

Question 69

RAID 0

Answer 69

Performance and data stripping

Question 70

RAID 1, 1-0 , 3 , 5, 6

Answer 70

Availability by Mirroring - 2 disks

1-0 - Stripping and mirroring

Raid 3 - Parity bit(disk) to reconstruct data if any one of multiple disks fails

Raid 5 - Parity and disk distributed to all disk

Raid 6 - 2 Parity disks if 2 disks fails then you can recover data

Question 71

Configuration management

Answer 71

Baselining for all systems

Question 72

Recovery team

Answer 72

Used to get critical function running at alternate site

Question 73

Salvage team

Answer 73

Used to return the primary site to normal

Question 74

Waterfall

Answer 74

Very linear, each phase leads

Once phase done can’t go back

Question 75

Administrative investigations

Answer 75

Policy violations internal to organization

Question 76

Criminal investigations

Answer 76

Conducted by law enforcement

Beyond a reasonable doubt

Question 77

Civil investigation

Answer 77

Internal employees and outside consultants on behalf of legal teams

Question 78

Regulatory investigations

Answer 78

Conducted by govt. agencies when individuals have violated admin law

Question 79

E discovery and steps

Answer 79

To preserve evidence share information with adversaries in the proceedings

Info governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation

Question 80

Admissible evidence and requirements

Answer 80

Relevant - Fact
Material (related) to case
Competent ( obtained legally )

Question 81

Types of evidence and evidence rules

Answer 81

1. Real evidence - object evidence
2. Documentary evidence - Written items
   - best evidence rules
   - parol evidence rule - Written agreement no verbal agreement

If documentary evidence follow above 2 rules + 3 admissible related rules then it can be admitted to court

3. Testimonial evidence : Testimony of witnesses through direct or expert opinion
4. Demonstrative evidence:

Evidence used to support testimonial evidence

Question 82

Media Analysis - Always work on copy

Answer 82

Identification and extraction of info from storage media

a. Magnetic media b. Optical media

Use writer blocker to avoid tampering of data after disconnecting and connecting to physical workstation

Question 83

In- Memory analysis

Answer 83

When gathering contents from Memory analyst should use trusted tools like Memory dump file

Compute Cryptographic values for authenticity

Question 84

Network analysis

Answer 84

Use SPAN port - Generate copy of packet dump

Question 85

Network analysis

Answer 85

Use SPAN port - Generate copy of packet dump

Question 86

Software analysis

Answer 86

Software code - looking for logic bomb, backdoor

Question 87

Hardware/ Embedded device

Answer 87

Contents of hardware

Question 88

Investigating process

Answer 88

Gathering evidence
1. Voluntary surrender
2. Subpoena
3. Plain view doctrine
4. Search warrant
5. Exigent evidence

Calling in law enforcement

Conducting the investigation

Interviewing the individuals

Data integrity and data retention

Reporting and documenting investigations

Question 89

APT

Answer 89

Advanced technical skills and resources act on behalf of nation state, organised crime

Question 90

Script kiddies

Answer 90

For the thrill the attackers may download scripts freely available on internet to compromise system