Domain 2 - Security Operations

Question 1

What is a baseline?

Answer 1

A detailed configuration standard that includes specific security settings.

Question 2

Some examples of Security Guidelines?

Answer 2

1. Method for selecting a strong password.
2. criteria for evaluating new security technology
3. Suggest training curricula for staff.

Question 3

What is a standard?

Answer 3

A formal, documented requirement that set uniform criteria for a specific technology, configuration, nomenclature, or method.

Question 4

What helps organizations help maintain consistency in the way security risks are addressed?

Answer 4

Standards, baselines, procedures, and even guidelines.

Question 5

What is a procedure?

Answer 5

Step-by-step instructions for performing a specific task or set of tasks.

Question 6

What are the typical components of a procedure?

Answer 6

Purpose
Applicability
Steps
Figures
Decision Points

Question 7

What is release management?

Answer 7

A software engineering discipline that controls the release of applications, updates, and patches to the production environment.

Question 8

What is the goal of release management?

Answer 8

To provide assurance that only tested and approved application code is promoted to production or distributed for use.

Question 9

Code Signing?

Answer 9

Assists users in validating that the application was issued by a trust source.

Typically used for web apps running Java or ActiveX

Question 10

Smoke Tested?

Answer 10

High-level, scripted testing of the major application components and interfaces to validate the integrity of the application before making it available.

Question 11

Systems Assurance?

Answer 11

Process of validating that existing security controls are configured and functioning as expected.

Question 12

Change Control?

Answer 12

Process adopted by an organization to ensure that all changes to system and application software are subject to the appropriate level of management control.

Question 13

Change Control Process?

Answer 13

Request Submission
Recording
Analysis/Impact Assessment
Decision Making and Prioritization
Approval
Status Tracking

Question 14

CM

Answer 14

CONFIGURATION MANAGEMENT

Discipline that seeks to manage configuration changes so that they are appropriately approved and documented.

“Technical and Administrative’ Process

Question 15

Typical Steps in the configuration management process.

Answer 15

Change Request
Approval
Documentation
Testing
Implementation
Reporting

Question 16

Four Operational Aspects of CM

Answer 16

Identification
Control
Accounting
Auditing

Question 17

CMBD

Answer 17

CONFIGURATION MANAGEMENT DATABASE

Holds information about the structure of the system.

Question 18

CI

Answer 18

CONFIGURATION ITEM

Component of each system listed in the CMBD using a name, number, and version ID.

Question 19

Security Impact Assessment

Answer 19

Analysis conducted by qualified staff within an organization to determine the extent to which changes to the information system affect the security posture of the system.

Question 20

Interoperability

Answer 20

Describe the extent to which systems and devices can exchange data and interpret that shared data.

Question 21

Syntactical Interoperability

Answer 21

Two or more systems that are capable of communicating and exchanging data.

Question 22

Patch Management Process

Answer 22

1. Acquisition - Find Patch
2. Testing - Test Patch before installation
3. Approval - Approve for deployment
4. Packaging - Package or configure for OS.
5. Deployment
6. Verification

Question 23

SSCP Domains

Answer 23

Access Controls
Analysis and Monitoring
Cryptography
Malicious Code
Networks & Telecom
Risk, Response, & Recovery
Security operations and administration

Question 24

BMS

Answer 24

BALANCED MAGNETIC STRIP

Device that uses a magnetic strip to determine if an alarm signal is initiated.

Question 25

PIR

Answer 25

PASSIVE INFRARED SENSORS

Common interior intrusion detection sensors.

ex. Occ Sensor

Question 26

Electric Locks vs Electric Strikes

Answer 26

Electric Locks use the doors physical locks.

Electric Strikes - bolts remains the same, but strike is changed.

Question 27

Anti-Passback

Answer 27

Strategy where a person must present a credential to enter an area and again to leave.

Question 28

‘Mantrap”

Answer 28

When a person opens a door, and for the next door to open, the one just enter must securely close.

Question 29

Rim Lock

Answer 29

Lock (or latch) typically mounted on the surface of a door.

Ex - dead bolt

Question 30

Mortise Lock

Answer 30

Lock (or latch) that is recessed into the edge of a door rather than on the surface.

Ex - Handle + Lock in single package.

Question 31

Locking Cylinders

Answer 31

Pin Tumbler cylinder is composed of circular pin tumblers that fit into matching circular holes on two internal parts of the lock.

Question 32

Cipher Lock

Answer 32

Controlled by a mechanical key pad.

Think of front door handle with PIN pad on it.

Question 33

Vaults - Class M

Answer 33

One 1/4 hour

Question 34

Vaults - Class 1

Answer 34

One 1/2 hour

Question 35

Vaults - Class 2

Answer 35

One hour

Question 36

Vaults - Class 3

Answer 36

Two hours

Question 37

Classified Container

Answer 37

Reinforced Filing Cabinet that can store proprietary and sensitive information.

Question 38

Cable Plant Management

Answer 38

Design, Documentation, and management of layer 1 in the OSI model, the Physical Layer.

Question 39

MTBF

Answer 39

MEAN TIME BEFORE FAILURE

Question 40

Two-Person Rule

Answer 40

Strategy where two people must be in an area together, making it impossible for a person to be in the area alone.

Question 41

Two main categories of smoke detectors

Answer 41

1. Optical (Photoelectric)

2. Physical (Ionization)

Question 42

Three Types of Fire Detectors

Answer 42

1. Flame Detectors
2. Smoke Detectors
3. Heat Detectors

Question 43

Two Types of Flame Detectors

Answer 43

1. IR

2. UV

Question 44

Four Groups of Sprinkler Systems

Answer 44

1. Wet Systems - Constant supply of water
2. Dry Systems - Releases when value is stimulated by excess heat.
3. Pre-Action - No water until detectors in the area are activated. Removes ‘False Alarms’.
4. Deluge - Same as pre-action, but all sprinkler heads are in the open position.

Question 45

2 Types of Gas Suppression

Answer 45

1. Aero-K: Uses aerosol of potassium

2. FM-200: Colorless, liquefied compressed gas.

Question 46

6 Aspects in the Change Control Policy Document

Answer 46

1. Request Submission
2. Recording
3. Analysis/Impact Assessment
4. Decision Making & Prioritization
5. Approval
6. Status Tracking

Question 47

Operational Aspects of CM?

Answer 47

Identification, Control, Accounting, Auditing

Question 48

Systems Certification Process?

Answer 48

Method of validating adherence to security requirements.

Question 49

Dual Control

Answer 49

Antifraud measure that requires two people to complete a transaction.

Question 50

Waterfall Model

Answer 50

Development method that follows a linear sequence of steps.

Question 51

What two things are used to accomplish non-repudiation?

Answer 51

Digital Signatures

Public Key Infrastructure

Question 52

What are the elements that make up IS risks?

Answer 52

Threat, Vulnerability, Impact

Risk = Threat + Vulnerability + Impact

Question 53

Remote Attestation

Answer 53

Form of integrity protection that makes use of a hashed copy of hardware and software configuration to verify that configurations have not been altered.

Question 54

4 Tenets of the Code of Ethics

Answer 54

1. Protect Society, commonwealth, and infrastructure
2. Act honorably
3. Provide Diligent service to principals
4. Advance/Protect Profession

Question 55

Confidentiality

Answer 55

Property of information in which it is only made available to those who have a legitimate need to know.

Question 56

Integrity

Answer 56

Property of information whereby it is recorded, used, and maintained in a way that ensures its accuracy.

Question 57

RAID

Answer 57

REDUNDANT ARRAY OF INDEPENDENT DISKS

ex. Controllers, UPS, Backup and recovery

Question 58

Non-repudiation

Answer 58

Service that ensures the sender cannot deny a message was sent and the integrity of the message is intact.

Question 59

(ISC)2 Code of Ethics

Answer 59

1. Protect Society, commonwealth, and infrastructure
2. Act honorably, honestly, justly, responsibly, and legally. 3. Provide diligent and competent service to principals 4. Advance and protect the profession.

Question 60

Donn Parker’s 5 Ethical Principles

Answer 60

1. Informed Consent
2. Higher ethic in the worst case
3. Change of Scale Test
4. Owner’s conservation of ownership
5. , User’s conservation of ownership

Question 61

C-I-A Triad

Answer 61

Confidentiality
Integrity
Availability

Question 62

Confidentiality

Answer 62

Property of information in which it is only made available to those who have a legitimate need to know.

Question 63

Methods for Maintaining a level of Confidentiality

Answer 63

Authorization
Identity
Access Management Encryption and Disclosure controls

Question 64

DLP

Answer 64

Data Leakage Prevention

Question 65

Integrity

Answer 65

Property of information whereby it is recorded, used, and maintained in a way that ensures it’s completeness, accuracy, internal consistency, and usefulness for a stated purpose.

Question 66

Systems Integrity

Answer 66

Maintenance of a known good configuration and expected operational function.

Question 67

Sarbanes-Oxley Act of 200

Answer 67

Mandates certain controls over the integrity of financial reporting.

Question 68

SLA

Answer 68

Service Level Agreement

Specify percentage of uptime as well as support procedures and communication for planned outages.

Question 69

RTO

Answer 69

Recovery Time Objectives Specify the acceptable duration of an unplanned outage due to catastrophic system non-availability.

Question 70

Non-repudiation

Answer 70

Service that ensures the sender cannot deny a message was sent and the integrity of the message is intact.

Question 71

Security Architecture

Answer 71

The practice of designing a framework for the structure and function of information security systems and practices in the organization.

Question 72

Essential Best Practices Include:

Answer 72

Defense-in-depth
Risk-based controls
 Least Privilege 
Authorization
Accountability 
Separation of Duties

Question 73

Calculate Risk Equation

Answer 73

IMPACT + VULNERABILITY + THREAT = RISK

Question 74

LUA

Answer 74

“Least User Access “

“Least Privilege”

Question 75

Difference Categories of Controls

Answer 75

1. Management - Controls concerning risk (Policy and Procedures)
2. Technical - Executed in hardware,software, and firmware.
3. Operational - Primarily implemented and executed by people.

Question 76

NIST SP 800-88

Answer 76

NIST Matrix for Determining Requirements for Clearing and Sanitizing Media

Question 77

Oersteds

Answer 77

Unit of measurement for the intensity of the magnetic energy a disk or tape can store.

Question 78

Degaussing

Answer 78

A technique of erasing data on disk or tape that ensures that there is insufficient magnetic remanances to reconstruct data.

Question 79

IRM

Answer 79

Information Rights Management

Functions to assign specific properties to an object such as how long the object may exist, what users can access it, and if any notifications should be sent if any changes occur.

Question 80

Data Scrubbing

Answer 80

aka Data Sanitization

Obfuscate sensitive data in such a way that the actual data values cannot be deduced or derived from the sanitized data itself.

Question 81

DeDupication

Answer 81

Process that scans the entire collection of information looking for similar chucks of data that can be consolidated.

Question 82

ITAM

Answer 82

IT Asset Management

Entails collecting inventory, financial, and contractual data to manage the IT Asset throughout its life cycle.

Question 83

Session Management

Answer 83

Includes timing out inactive sessions, deleting session information after timeout, not passing credentials in URL strings, and using salted hashes to protect session IDs.

Question 84

CSRF

Answer 84

Cross Site Request Forgery

Forces a logon victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other authentication information, to a vulnerable web app. Allows attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Question 85

Missing Function Level Access Control

Answer 85

While most web apps verify function-level access rights before making that functionality visible in the UI, apps need to perform the same AC checks on the server when each function is accessed. If not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

Question 86

Insecure Direct Object References

Answer 86

Direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Attacker can manipulate these reference to access unauthorized data.

Question 87

XSS

Answer 87

Cross Site Scripting

Flaws that occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. Allows attackers to execute script in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

Question 88

Injection

Answer 88

SQl, OS, and LDAP Injections, occur when untrusted data is sent to an interpreter as part of a command or query. Attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Question 89

OWASP Top 10

Answer 89

1. Injection
2. Broken Authentication & Session Management
3. XSS - Cross Site Scripting
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level AC
8. CSRF (Cross Site Request Forgery)
9. Using Components with Known Vulnerabilities
10. Un-validated Redirects and Forwards

Question 90

OWASP

Answer 90

Open Web Application Security Project

Free, available listing of the top vulnerabilities found in web applications.

Question 91

Agile

Answer 91

Example of Iterative Development Model.

Relies on feedback from application users and development teams as their primary control mechanism.

Question 92

RAD

Answer 92

Rapid Application Development

Leverage modern development environments that make it possible to quickly build UI components as requirements are gathered.

PROS? Quick and typically catches issues early.

CONS? Can suffer from ‘Scope Creep’, as new requirements are continually added and teams lose sight of the end goal.

Question 93

Spiral Model

Answer 93

Similar to the Waterfall Development Cycle, but adds a repeated PDCA (Plan-Do-Check-Act) sequence at the end of each stage.

Question 94

What phase is Web App design is the Software programming completed?

Answer 94

Implementation

Question 95

Who participates in the design phase of a Web App?

Answer 95

Security Architect or administrator.

Question 96

The general designed document, once refined to produce specifications for the….

Answer 96

Detailed design.

Question 97

Where the design may first be laid out?

Answer 97

General Design Document

Question 98

“Who signs off the ‘Requirements Gathering and Analysis”

Answer 98

Project Sponsor and stakeholders

Question 99

The Waterfall Model

Answer 99

6 Steps for developmental software applications as safely and securely as possible.

1. Requirement Gathering and Analysis
2. System Design
3. Implementation
4. Integration
5. Deployment
6. Maintenance

Question 100

UML

Answer 100

Unified Modeling Language

Documentation of the sequences of actions called uses cases.

Question 101

Authorization Official or Approver

Answer 101

Senior executive or manager with the authority to assume full responsibility for the system covered in the system security plan.

Question 102

Security Officer

Answer 102

Responsible for coordinating development, review, and acceptance of security plans and for IDENTIFICATION, IMPLEMENTATION, ADMINISTRATION, and ASSESSMENT.

Question 103

Information Owner

Answer 103

Has overall authority for the information stored, processed, or transmitted by the system. Responsible for specifying policies for appropriate use of information and security requirements for protecting information in the system.

Question 104

System Owner

Answer 104

Responsible for decisions regarding system procurement or development, implementation and integration, and operation and ongoing maintenance.

Question 105

System Security Plan

Answer 105

Comprehensive document that details the security requirements for a specific system, the controls established to meet those requirements, and the responsibilities and expected behaviors of those administering and accessing the system.

Question 106

AC (Security Control)

Answer 106

Access Control

Technical

Question 107

AT (Security Control)

Answer 107

Awareness Training

Operational

Question 108

AU (Security Control)

Answer 108

Audit and Accountability

Technical

Question 109

CA (Security Control)

Answer 109

Security Assessment and Authorization

Management

Question 110

CM (Security Control)

Answer 110

Configuration Management

Operational

Question 111

CP (Security Control)

Answer 111

Contingency Planning

Operational

Question 112

IA (Security Control)

Answer 112

Identification and Authentication

Technical

Question 113

IR (Security Control)

Answer 113

Incident Response

Operational

Question 114

MA (Security Control)

Answer 114

Maintenance

Operational

Question 115

MP (Security Control)

Answer 115

Media Protection

Operational

Question 116

PE (Security Control)

Answer 116

Physical & Environmental Protection

Operational

Question 117

PL (Security Control)

Answer 117

Planning

Management

Question 118

PM (Security Control)

Answer 118

Project Management

Management

Question 119

PS (Security Control)

Answer 119

Personnel Security

Operational

Question 120

RA (Security Control)

Answer 120

Risk Assessment

Management

Question 121

SA (Security Control)

Answer 121

System and Services Acquisition

Management

Question 122

SC (Security Control)

Answer 122

System and Communications Protection

Technical

Question 123

SI (Security Control)

Answer 123

System and Information Integrity

Operational

Question 124

Directive (Controls)

Answer 124

Designed to specify acceptable rules of behavior within an organization.

Question 125

Deterrent (Controls)

Answer 125

Designed to discourage people from violating security directives.

Question 126

Preventive (Controls)

Answer 126

Prevent a security incident or information breach.

Question 127

Compensating (Control)

Answer 127

Implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level.

Question 128

Detective (Control)

Answer 128

Designed to signal a warning when a security control has been breached.

Question 129

Corrective (Control)

Answer 129

Implement to remedy circumstance, mitigate damage, or restore controls.

Question 130

Recovery (Control)

Answer 130

Implemented to restore conditions to normal after a security incident.

Question 131

System Security Plan

Answer 131

Comprehensive document that details the security requirements for a specific system, the controls established to meet those requirements, and the responsibilities and expected behaviors of those administering and accessing the system.

Question 132

System Owner

Answer 132

Responsible for decisions regarding system procurement or development, implementation and integration, and operation and ongoing maintenance.

Question 133

Information Owner

Answer 133

Has overall authority for the information stored, processed, or transmitted by the system. Responsible for specifying policies for appropriate use of information and security requirements for protecting information in the system.

Question 134

Security Officer

Answer 134

Responsible for coordinating development, review, and acceptance of security plans and for IDENTIFICATION, IMPLEMENTATION, ADMINISTRATION, and ASSESSMENT.

Question 135

Authorizing Official or Approver

Answer 135

Senior executive or manager with the authority to assume full responsibility for the system covered in the system security plan.