CISSP: Security Operations Flashcards
- The two types of intrusion detection are
A. Attack-based systems and response-based systems
B. Signature-based systems and anomaly-based systems
C. Knowledge-based systems and scripture-based systems
D. Passive monitoring systems and active monitoring systems
B. Signature-based systems and anomaly-based systems
The two types of IDS systems are signature-based and anomaly-based. Review “Intrusion detection and prevention.”
- Recording data traveling on a network is known as
A. Promiscuous mode
B. Packet sniffing
C. Packet snoring
D. Packing sneaking
B. Packet sniffing
Packet sniffing is the technique used to record network traffic. Review “Penetration testing.”
- Which of the following is NOT an example of penetration testing?
A. Radiation monitoring
B. War driving
C. Port scanning
D. War diving
D. War diving
War diving isn’t a testing technique, but radiation monitoring, war driving, and port scanning are. Review “Penetration testing.”
- Trusted recovery is concerned with
A. The ability of a system to be rebuilt
B. The vulnerability of a system while it’s being rebuilt
C. The ability of a system to rebuild itself
D. The willingness of a system to rebuild itself
B. The vulnerability of a system while it’s being rebuilt.
Most operating systems in single-user mode lack the security controls present in a system that’s fully operational. Review “Security Controls.”
- The third-party inspection of a system is known as a(n)
A. Confidence check
B. Integrity trail
C. Audit trail
D. Audit
D. Audit
An audit is an inspection of a system or process. Review “Security Auditing and Due Care.”
- One of the primary concerns with long-term audit log retention is
A. Whether anyone will be around who can find them
B. Whether any violations of privacy laws have occurred
C. Whether anyone will be around who understands them
D. Whether any tape/disk drives will be available to read them
D. Whether any tape/disk drives will be available to read them.
The challenge with audit log retention is choosing a medium that will be readable many years in the future. Review “Retaining audit logs.”
- The required operating state of a network interface on a system running a sniffer is
A. Open mode
B. Promiscuous mode
C. Licentious mode
D. Pretentious mode
B. Promiscuous mode
Promiscuous mode is the term that describes the state of a system that’s accepting all packets on the network, not just those packets destined for the system. Review “Penetration testing.”
- Filling a system’s hard drive so that it can no longer record audit records is known as a(n)
A. Audit lock-out
B. Audit exception
C. Denial of Facilities attack
D. Denial of Service attack
D. Denial of Service attack
Filling a system’s hard drive is one way to launch a Denial of Service attack on an audit log mechanism. Filling the hard drive prevents the mechanism from being able to write additional entries to the log. Review “Protection of audit logs.”
- An investigator who needs to have access to detailed employee event information may need to use
A. Keystroke monitoring
B. Intrusion detection
C. Keystroke analysis
D. Trend analysis
9 A. Keystroke monitoring
Keystroke monitoring records every key press and mouse movement. Review “Keystroke monitoring.”
- Which of the following is NOT true about a signature-based IDS?
A. It reports a low number of false-positives.
B. It requires periodic updating of its signature files.
C. It reports a high number of false-positives.
D. It can’t detect anomalies based on trends.
C. It reports a high number of false-positives.
Signature-based IDSs generally have a low number of false-positives. Review “Intrusion detection and prevention.”
Which of the following is not commonly used to eliminate single points of failure?
a. RAID 0
b. RAID 1
c. A second connection to the internet by using a different ISP
d. Load balanced cluster server array
A. RAID 0, a stripe set, provides improved performance but no fault tolerance or redundancy
In black box penetration testing, what information is provided to the red team about the target environment?
a. The targets and testing time frame
b. Everything
c. Nothing
d. The IP subnet architecture of the enterprise
C. Black box testing provides no information to the testing team (the red team).
What term describes the statistical appraisal of the functional lifetime of a system or device?
a. Maximum tolerable downtime (MTD)
b. Statistical deviation
c. Mean time to repair (MTTR)
d. Mean time between failures (MTBF)
D. Mean time between failure (MTBF) is the statistical appraisal of the functional lifetime of a system or device.
A device used to return all bits on magnetic media to a neutral state is performing what function?
a. Active reconnaissance
b. Zeroization
c. Zero-day attack
d. Passive reconnaissance
B. Degaussing or overwriting all bits with zeros returns all magnetic impulses that represent bits on magnetic media to a neutral state. This process is called zeroization.
Hierarchical storage management (HSM) is best described by which of the following?
a. The way files and directories are stored on a disk drive
b. The way tapes are rotated offsite by armed guards in armored trucks
c. The way files are migrated away from expensive and fast storage onto cheaper and slower storage
d. The way disk drives are spun down to reduce power consumption and heat and prolong the life of the disks when the files they hold are not needed.
C. In HSM, files are migrated away from expensive and fast storage onto cheaper and slower storage as the data becomes less current and or useful to users. Typically, in an HSM environment, the data remains online but with longer access times.