Domain 4: Security Operations Flashcards

Question

Acquisition and procurement

Answer 1

• identifying hardware and software solution to suit the needs of the organization • purchasing from reputable vendor, using genuine hardware with secure supply chain • devices will create “paper trail” that can be investigated to determine origin of hardware after receiving device • **Asset tagging** - semi permanent labels for inventory tracking of officially procured devices - No tag? No network access.

Answer 2

- **Ownership** - Identifying and documenting the individual or office location device is provided for - Keeping track of the devices we gave you - **Classification** - Identifying and documenting the role, purpose of a device

Answer 3

- **Inventory** - List of physical assets acquired by organization - **Enumeration** - List of network assets on organizations network - Are they the same? What if there is a difference?

Answer 4

- when removing a device from an organizations network, care must be taken that any sensitive data is purged from the device - How this is accomplished varies by device: - spinning, disk, magnetic hard drives, for example, should be doused or shredded to ensure no residual data remains - solid-state drives cannot be deeded. It should be securely erased or shredded. - Network appliances (routers, switches) should have any configuration data reset and purged - devices, such as scanners and printers should be evaluated according to manufactures documentation about how best to remove any possible data stored on the device

Answer 5

• **Sanitization** - deleting sensitive data from drive • **Destruction** - physically destroying the drive so that it cannot be used - Example, drill, incinerate, grind up/shred • **Certification** - Ensuring drive was delivered to technician to destroy drive - technician marks time/date of drive destruction • **Data Retention** - Before disposal, check with regulations and policies on data retention requirements

Answer 6

- **WEP (Wired Equivalent Privacy** - Great name, terrible protection) - found to be crypto graphically insecure - deprecated - **WPA (Wi-Fi Protected Access)** and **WPA2** - WPA was created to replace wired equivalent privacy (WEP) when WEP was found to be insecure. - WPA uses **RC4** with the inclusion of **temporal key integrated protocol (TKIP)**, which uses an encrypted hash with the sequence counter and a 48 bit IV to avoid the problems inherent in WEP - WPA2 is a stronger version of WPA, using a **EAS** in conjunction with **counter mode with cipher block changing message authentication code protocol (CCMP)**

Answer 7

- **WPA3** - weakness is found in WPA2 drove development of WPA3 - replaces authentication scheme: uses *simultaneous authentication of equals (SAE)* to replace pre-shared key exchange protocol from WPA2 so attackers cannot intercept authentication credentials - Encryption, baked in: encrypts traffic from endpoint to endpoint, even without a password - replaces cryptographic protocols: replaces a AES CCMP with **AES Galois Counter Mode Protocol (GCMP)** - easy connect: allows devices to scan a QR code to configure and join network **WPA3 = AES + GCMP**

Answer 8

- **IEEE 802.1x** is a technical specification for authenticating users to provide network access - specification is embodied in framework called **Extensible Authentication Protocol (EAP)** - there are several *implementations* of EAP, to name a few: - EAP-TLS - EAP-TTLS - PEAP - EAP-FAST

Answer 9

- **Remote Authentication Dial-In User Service (RADIUS)** uses a centralized server to provide *authentication, authorization and accounting (AAA)* to remote users in a scalable way - users connect to radius client (access point, switch, etc.) and provide the client with their credentials. - The radius client does not store credentials. Instead, it forwards them to the AAA server in an encrypted access request package. - The AAA server, decrypts and check the credentials, providing the radius client with an access response - The radius client validates that the AAA information is from the server and intern response to the user to allow or deny access

Answer 10

- **Personal** - WPA2-PSK - a pre-shared key (password) for authenticating (on test, may be written as WPA2-Personal) - WPA3-SAE - PAKE, Password-Authenticated key Exchange (on test, may be written as WOA3-Personal) - **Enterprise** - WPA2-Enterprise - WPA3-Enterprise - allows users to authenticate with their enterprise credentials - Both WPA2 and WPA3 utilize 802.1x authentication - 802.1x utilizes a RADIUS server to verify user credentials before joining network

Answer 11

- **Site surveys** - Data collection of signal strength at a specified or measured location - **Heat maps** - color visualization of the measured signal strength to provide at a glance interpretation of the site survey

Answer 12

- **vulnerability scan** - Enumerates house on network - List detected vulnerabilities, according to signatures and definitions - Examples: Nessus, OpenVAS

Answer 13

- Data that is **publicly available** and can be used to further in attack - information found via email harvesting and social media profiling - Things that can be found using Google, Facebook, etc. - in a context of security, consider any information which is freely available as having the potential to further a spearfishing attack

Answer 14

- Opposite of open source intelligence, **close/proprietary information is not public** and comes from specific sources - typically, commercial solutions and cost money to use - it is typically higher quality information than the information you would find in open source intelligence

Answer 15

- **Deep web** - The unindicted pages of the information and cannot be reached by normal search engines or browsers - **Dark web** - meeting place for hackers to share your legally obtain information and credentials - (The Onion Router) - encrypted medium for obfuscating network traffic to anonymize activity on dark web - layer upon a layer of encrypted, convoluted traffic makes it extremely difficult to track a user - Layers like an onion, hence the name

Answer 16

- **information sharing in analysis centers (ISACs)** - ** security information exchanges (SiX) - Public/private information sharing centers - Collaborative efforts for sharing indicators of compromise, threat intelligence, and best practices - Often industry specific or region base - some organizations publish information regarding threat intelligence to be shared with clients or the public at large

Answer 17

- **Penetration testing** is simulating an attack with the goal of finding both weaknesses and strengths. It involves actively exploding vulnerabilities as they are discovered, to penetrate as far as possible into the target system. - Look for common known exploits, as well as unknown exploits - **Vulnerability scanning** use a software to check for known vulnerabilities - Generally, uses passive techniques and does not exploit any vulnerabilities which are found in the scan - vulnerable scanning would likely be part of a penetration test

Answer 18

- **Bug bounties** - Program offered by organizations to safely and securely disclosed vulnerabilities found found in their products, networks or systems for the purpose of being fixed - mini bug bounty programs offer monetary war to books that are discovered - information security professionals make a living from bounty programs alone - Example: Hacker1

Answer 19

- Systemic review of information systems and operational processes of the organization - Maybe mandated by industry regulations such as HIPAA, Sarbanes-Oxley (SOC) - standards/frameworks for workflow available from NIST and ISO - benefits or organization by being able to identify problems before they arrive - May be carried out in house or by third-party, depending on regulatory requirements

Answer 20

- **True Positive** - when a scan and divisive vulnerability that does actually exist - **True Negative** - when a scan reports no vulnerabilities present when one does not exist - **False Positive** - when a scan identifies a vulnerability that does not actually exist - consider the time which can be lost due to chasing down false positives - **False Negative** - when a scanner reports no vulnerabilities present when one exists

Answer 21

- Analyzing identified risk and determining the order in which each item should be addressed - Priority given to most worrisome based on measured risk(highest probability, greatest impact) - Priority might also be for a mitigations that are cheapest (no cost) to address

Answer 22

- **Common Vulnerabilities and Exposures (CVE)** - A reference method for publicly known information security vulnerabilities - CVE IDs use the model CVE-YYYY-NNNNN, where YYYY is the year that the mobility is discovered and NNNNN is the arbitrary number assigned to the vulnerability

Answer 23

- **Common Vulnerability Scoring System (CVSS)** - scoring system for vulnerabilities and gives a level of impact on an organization should if vulnerability be realized - impact can be assessed based on the CIA triad

Answer 24

- **Common Vulnerability Scoring System (CVSS)** - scoring system for vulnerabilities and gives a level of impact on an organization should if vulnerability be realized - impact can be assessed based on the CIA triad

Answer 25

- categorizing vulnerability based on characteristics, such as the type of system, version of software, mall of hardware, etc. - Helps to clarify scope in nature of a particular threat

Answer 26

- The percentage of value of an asset that is lost if a specific thread comes to pass - Example: supposed a window is valued at $1000. If calculating the risk of a window breaking… - Do you have to replace the whole window? (Cost $1000, so EF is 100%) - Can you replace just one pane? (Cost is $500, EF is 50%) - Maybe you got a replacement policy for free with a $100 deductible back when it was first purchased (cost is $100, so EF is 10%)

Answer 27

- The percentage of value of an asset that is lost if a specific thread comes to pass - Example: supposed a window is valued at $1000. If calculating the risk of a window breaking… - Do you have to replace the whole window? (Cost $1000, so EF is 100%) - Can you replace just one pane? (Cost is $500, EF is 50%) - Maybe you got a replacement policy for free with a $100 deductible back when it was first purchased (cost is $100, so EF is 10%)

Answer 28

- when threat intelligence comes in about a particular vulnerability, the assessment performed by others may not apply to an organization particular set up - Organizations infrastructure, including the hardware, software, networks and other systems all play a role in determining how particular vulnerability may play out. The infrastructure may suppress the impact, or it may amplify the impact. - each organization set up is unique, so the specific impact of vulnerability is also unique

Answer 29

- Impacts of vulnerability could have maybe: - Financial loss - Reputational Damage - operational disruption - Regulatory penalties - business partnership loss - Reputational harm, Customer aversion - Organizational impact - Industry impact

Answer 30

- The **measure of risk and organization is willing to accept** - The level varies greatly depending on organization, size, strategic objectives, industry, regulations, etc. - Often identified in light of vulnerability and analysis and determining where to spend some resources safeguarding the network. At some point, organizations, decision makers will say this is good enough for now.

Answer 31

- when vulnerabilities have been identified, organizations will seek to update the software or firmware - vendors make patches available for this purpose - Sometimes of vulnerability is discovered, and the patch is not available for a long time - Segment the device away from network - Monitor data coming and going from device

Answer 32

- cyber security insurance provides financial backing to minimize financial losses - Cyber insurance has requirements for coverage: - regular security testing - Operation in compliance with industries regulations - documented security policies - Evidence of employee training

Answer 33

- Isolating systems from the organizations network or putting the networking device in his own network to safeguard the rest of the organization from infection - Limits scope of impact

Answer 34

- control designed as a back up to another control, to be used in the event that the main control is unable to provide sufficient levels of protection on his own - Controls can also involve the recovery of data if lost due to an attack/disaster - for example, an alarm that sounds after a lock door has been left open for certain period of time

Answer 35

- **Exemption** - I identifying vulnerabilities and acknowledging their presence, but not taking any additional action - **Exemption** - User or system that is not required to be in compliance with security policy for a specifics reason - Sometimes identified vulnerabilities are not problematic for the organization - May be a problem for others, but not here

Answer 36

- ensuring the mitigations have taken care of a particular vulnerability or set of vulnerabilities **Validation process:** - Rescan for vulnerabilities - Audit results to look for mitigations - verifying results (no false negatives) - Reporting findings through documentation

Answer 37

- **Systems** - System monitors watch host Health - **Applications** - System monitors, cloud monitors, vulnerability, scanners, antivirus logs, DLP logs - **Infrastructure** - Switches, access points, routers, firewall - Watch processor load, memory load, state of connections, operating temperatures, data, throughput, errors, statistics

Answer 38

- **Log aggregation** - Collecting data - **Scanning** - monitoring the data for known, defined or abnormal network activity - **Alerting** - notifying personnel to suspicious or anomalous activity - **Reporting** - providing overview of events and alerts - **Archiving** - safeguarding in storing reports for compliance reasons

Answer 39

- SCAP - Benchmarks - Agents - Security information and event management - Data Loss Prevention (DLP) solutions - SNMP traps - NetFlow - Vulnerability scanners

Answer 40

- **Security Content Automation Protocol** - automated data format for exchanging vulnerability information from feed, checking systems for applicability and providing reports for compliance and mitigation purposes - enable continuous monitoring - Formats - **Open vulnerability and assessment language (OVAL)** - xML-based, machine-readable format for providing system, state and pulling vulnerability reports and information - **Extensible configuration checklist description format (XCCDF)** - XML-based, machine-readable format for developing and auditing configuration checklist

Answer 41

- using widely excepted metrics to determine alignment with configuration recommendations - Helps track changes to network operations, identify alignment with best practices, provide documented growth goals - The *center for Internet security publishes CIS* benchmarks for various vendor supplied technologies

Answer 42

- **Security Information and Event Management (SIEM)** - a SIEM is an application that provides the ability to gather security. Log data from multiple information system components known as sensors. - Aggregates and presents collected data as actionable information via a single interface - Uses correlation to associate events and data with certain indications of risk and can provide alerts accordingly

Answer 43

- **Aggregation** - process of collecting data from many different sources to a common location. This data can be parse to assess the health of an environment. - allows for a SIEM to be a one stop shop for looking at log information, as it will contain the essential log data from all applicable machines - **Correlation** - process of separating out specific data points that are associated with a security event. This can help fine patterns that can help identify security threats. - SIEM can be configured to send out alerts notifying of a possible security threat whenever a threat had been identified through correlated patterns

Answer 44

- **Automated alerts/triggers** - ability to be alerted or have an action taken based on certain events - Generally, alerts will be sent to system and administrators and security team members to notify them that a potential security threat has occurred - Triggers are the specific events which set off trigger and automated alert - **Alert tuning** - **Quarantine**

Answer 45

- **Time synchronization** - A SIEM must be able to normalize the timing of events from all sources into one time zone - If the time is off, we constructing a security vent can be impossible, as knowing the correct chronological order of events is essential to figuring out when and how an attack happened - **Event deduplication** - some errors were events can cause up to thousands of similar or identical error messages to be logged and sent to SIEM - To avoid clogging its reporting mechanisms when this happens, SIEM has the ability to identify this flood of log info as corresponding to a single event

Answer 46

- **Secure logs/WORM** - to ensure logs are protected from tampering only system processes and secure, non-administrative account should be able to write to them and only by a pending date to the end of the log - **Right once, read many (WORM)** media is another option for secure logging. Once data is written to worm media, you cannot be rewritten, though data can be appended to that which was previously recorded.

Answer 47

- many network devices use utilizes **Simple Network Management Protocol (SNMP)** - Typically, SNMP messages are sent to a SNMP **Management Information Base (MIB)** after a request is sent from the MIB to the network device - if network device detects a problem, it can send an emergency message to the MIB without waiting for a request - SNMP trap is emergency message detected by the network device

Answer 48

- NetFlow is a feature that allows customers to collect IP network traffic from Cisco routers - NetFlow allows system administrators to destination of traffic, class of service, and causes of congestion - NetFlow ICMP types include: - Echo reply - Destination unreachable - Redirect - Time exceeded - Network flow of packets can be used to determine the source and destination ports, IP addresses and subnets of packets in a network. - Investigating net flow reports can be used during the course of incident response

Answer 49

- Software that aids in identifying hosts/host attributes and associated vulnerabilities - Scans a system by comparing its settings with a predefined set of non-vulnerable settings, and software types

Answer 50

- Rules - Top-Down - Implicit deny - Access lists - Ports/protocols - Screened subnets

Answer 51

- mechanism that implements access control for a system resource by enumerating the identities of the system entities that are committed to access the resources - consist of a set of rules, where each rule specifies a type of packet and whether to block or allow the packet through the firewall

Answer 52

- mechanism that implements access control for a system resource by enumerating the identities of the system entities that are committed to access the resources - consist of a set of rules, where each rule specifies a type of packet and whether to block or allow the packet through the firewall

Answer 53

- Firewall rules are evaluated in a top down manner, meeting rules earlier in the list are checked first - Generally, the last rule in the list is an implicit denial rule, so packets which have not been allowed by a previous rule will be blocked by default - **Implicit deny** a rule that denies traffic unless a rule explicitly allows it

Answer 54

- Firewall rules are evaluated in a top down manner, meeting rules earlier in the list are checked first - Generally, the last rule in the list is an implicit denial rule, so packets which have not been allowed by a previous rule will be blocked by default - **Implicit deny** a rule that denies traffic unless a rule explicitly allows it

Answer 55

- formally referred to as **DMZ or demilitarized zone** - A host or network segment asserted as a neutral zone between an organizations, private network, and the Internet - Add an additional layer of separation to protect internal systems from external traffic

Answer 56

- **Signature** - detection systems monitor for known activity, indicators of compromise, to alert, anomalous activity - Vulnerability must be known in order for a signature to be published - Drawback: may not catch new, zero day attacks - **Trends** - alternative way to monitoring network is to do trend analysis. Rather than relying unknown, published signatures, this method monitors activity and watches how users are operating. - Drawback: trigger more false positives

Answer 57

- firewall can assist in filtering web Contant by directing traffic to proxy or using DNS reputation - Agent-based - Centralized proxy - URL scanning - looking for malicious, untrustworthy domains - Contant categorization— categorizing webpages based on content (gambling, explicit content, job search) - Reputation-certain domains known to be malicious, these can’t get blocked (abused.com) - **DNS filtering** - Filtering content based on the domain name - certain explicit keywords may show up in every domain names, can be blocked at DNS level - Example: pie hole ad blog does DNS filtering to limit wood, advertisements, and trackers make it to your network

Answer 58

- firewall can assist in filtering web Contant by directing traffic to proxy or using DNS reputation - Agent-based - Centralized proxy - URL scanning - looking for malicious, untrustworthy domains - Contant categorization— categorizing webpages based on content (gambling, explicit content, job search) - Reputation-certain domains known to be malicious, these can’t get blocked (abused.com) - **DNS filtering** - Filtering content based on the domain name - certain explicit keywords may show up in every domain names, can be blocked at DNS level - Example: pie hole ad blog does DNS filtering to limit wood, advertisements, and trackers make it to your network

Answer 59

- **Group policy** - feature of windows using active directory that allows users to be put into containers called organizational units. Group policy can then apply to all members associated with that OU to grant or deny certain privileges, access, rights, and settings. - If a change must be made, one change of configuration and it applies to all in that OU - **SELinux** - Linux kernel security feature that provides access control policies, including **Mandatory Access Control (MAC)** - Allows for fine-tuning permissions to provide high-level of security at the kernel and operating system level - SEAndroid is an Android variant that provides same level security control features for android devices

Answer 60

- **Group policy** - feature of windows using active directory that allows users to be put into containers called organizational units. Group policy can then apply to all members associated with that OU to grant or deny certain privileges, access, rights, and settings. - If a change must be made, one change of configuration and it applies to all in that OU - **SELinux** - Linux kernel security feature that provides access control policies, including **Mandatory Access Control (MAC)** - Allows for fine-tuning permissions to provide high-level of security at the kernel and operating system level - SEAndroid is an Android variant that provides same level security control features for android devices

Answer 61

- various protocols exist for a variety of data exchanges. For most, they started out as plane text, and a newer, encrypted, secure form has emerged. - there are not as many protocols to be aware of on the security plus as there are on the network plus, but you need to memorize several - be able to identify the purpose of the **protocol**,the **port number**, and **transport mode** (TCP or UDO)

Answer 62

- ** Domain face message authentication, reporting and conformance (DMARC)** - System used to identify mail that is suspicious and is originating from unauthorized mail servers - ** Domain keys identified Mail (DKIM)** - A digital signature, added to outgoing mail, allowing the recipient to confirm the origin of the message - **Sender policy framework (SPF)** - directions on how to handle messages not space specified in the DNS SPF record

Answer 63

- A server which allows a network to send receive email communications from other networks. Generally used to receive email from outside the organization. - because all the email is being passed through this point, and they’ll Gateway offers the opportunity for inspection of emails and attachments for malicious links and content, as well as ensuring confidential information is not being emailed

Answer 64

- IEEE 802.1x - A feature provided by some network appliances that provides access given valid credentials, and their results of health checks performed on the client device - If a client device does not need security in or update standards of the NAC policy, it will not be allowed access to the network

Answer 65

- **Dissolvable NAC** uses an agent which is downloaded by a client upon requesting access. The agent runs the appropriate in a checks and allows access if the client passes. Provides one time authentication, as a new agent will need to be downloaded each time the network is excess. - **Permanent NAC** uses an agent which is installed onto the client system and is persistently running in the background, performing a NAC check each time network access is requested

Answer 66

- **Host health** - checking the health of the client to ensure compliance with NAC policies before allowing to access a resource - mobile house may be checked for a rogue software or other issues. In some cases, a remedy may be offered for an outstanding issue. - **Agent versus agentless** - an agent is software that runs on the system and then reports back with the results of the NAC policy compliance check determines whether or not system is allowed network access - agentless means no agent is installed on system. Instead, a domain controller scans devices directly for NAC compliance as they request to join the domain.

Answer 67

- identifying what is normal for a group of users in monitoring, gilling network activity for any anomalous activity. Anything that is out of the norm - example: a server automatically upload the days back up to the cloud at a given time each night one night, it downloads a service update from an un Trust - Single. This could trigger and alert for further investigation. What was the update? Why did the back up fail? was back up down?

Answer 68

- Account creation should not be a single individual person’s job - Individuals privileged account could be a compromise - Insider threat - lack of documentation, tracking - Should have documentation for creating each account and removing each account - **assigning permissions** - I justifying Work rules for the position and configuring appropriate rights and privileges to fulfill needs of the individual

Answer 69

- Assuring an individual is who they claim to be by checking official documents and records

Answer 70

- A collection of domains, sometimes separate companies that have established trust between each other. The level of trust me very, but typically includes authentication. It may include authorization. - Example: using Facebook credentials to authenticate with a web application

Answer 71

- employees central authorization server to enable a user to authenticate once yet access all applications or machines which they are permitted to use - Reduces often greatly the number of times a user is required to enter their various usernames passwords

Answer 72

- ** Lightweight directory access protocol (LDAP)** - commonly used protocol for clearing and making updates to directories which followed the X .500 standard - associates objects in the directory with their full X .500 distinguished name - Example:

Answer 73

- **Lightweight directory access protocol (LDAP)** - commonly used protocol for clearing and making updates to directories which followed the X .500 standard - associates objects in the directory with their full X .500 distinguished name - Example:

Answer 74

- **OAuth** - token based and OAUTH consumer uses a token to access user information stored on providers website control what a user is authorized to do on the consumer site - example the ability to log into non-Google websites using your Google account - **Open ID Connect** - Layer on top of the OAUTH protocol which simplifies the process of developing a single sign on mechanism - Open ID connect was created to ease the complexity of the OAUTH protocol for developers by allowing consumer sites to request authentication only service

Answer 75

- **Security Assertions Markup Language (SAML)** is a framework for exchanging authentication and authorization information, typically used by federal networks - SAML standardizes the representation of credentials in and *extensible markup language (XML)* format known as SAML token

Answer 76

- **Security Assertions Markup Language (SAML)** is a framework for exchanging authentication and authorization information, typically used by federal networks - SAML standardizes the representation of credentials in and *extensible markup language (XML)* format known as SAML token

Answer 77

- Solutions may need to **span various systems** - Important for a solution to be enter operable with other use cases - Often utilize standards, such as SAML

Answer 78

- term for **affirming the correctness or ability of information** - Often required for regulatory or compliance reasons - Insurance that users only have access to data. They are authorized to have. Affirms authenticated users are correct and nothing has been errantly modified

Answer 79

- **Discretionary** - **Rule-based** - Mandatory (MBAC) - Role-based (RBAC) - Attribute-based (ABAC) - **Time-of-day restrictions**

Answer 80

- giving users the lowest amount of privilege needed while still allowing them to be productive - not only protects you from the users mistakes, but also any attacker that compromises a users account, as their access to information will be limited to that users level of access

Answer 81

- **Privileged users** - privileged accounts have a higher permission level than regular user accounts and are thus more powerful - privileged accounts can often grant and permissions to other accounts, as well as assigned them to various groups - commonly used by system/network administrators - **Privilege access** - Securely manage the accounts of users with elevated privileges to systems and resources

Answer 82

- **Just-in-time permissions** - permissions granted to a privileged user for the duration of the task or work being performed - **Password vaulting** - storage of credentials and software vault which controls who has access, when and for how long - Permissions can be context aware - **Temporal accounts** - short lived, temporary accounts only useful for a limited time

Answer 83

- **Just-in-time permissions** - permissions granted to a privileged user for the duration of the task or work being performed - **Password vaulting** - storage of credentials and software vault which controls who has access, when and for how long - Permissions can be context aware - **Temporal accounts** - short lived, temporary accounts only useful for a limited time

Answer 84

- use of two or more authentication factors - **Authentication factors:** - something you know (type 1) - Something you have (type 2) - Something you are (type 3) - Something you do - somewhere you are

Answer 85

- something you know - Using a secret such as a password or a pin as a factor of all authentication - Also includes personally identified information like your name, address or birthday - Something you have - refers to authenticating with a physical object that you can’t be carried - Using keys, key cards, cell phone, etc., as a factor of authentication

Answer 86

- something you are - Using a physical aspect of a person for authentication - Generally involves collecting biometric information by performing fingerprinting, Irish scans or facial recognition. The recorded information is appeared to forgiven when users request access to determine if there is a biometric match. - Something you do - Using a unique action as a method of authentication - Makes use of biometric information that is collected by analyzing behaviors rather than physical aspects - examples include signature, writing typing and speaking patterns

Answer 87

- somewhere you are - Not to be confused with something you are authentication factor there somewhere you are factor involves authentication and uses based on their location information - can be done using global location, GPS, local location, indoor positioning system, or IP address to determine network network based location

Answer 88

- Biometrics - Used to identify and authenticate and individual based on personal characteristics - examples of personal characteristics include fingerprints, face, retina, iris, speech, handwriting, hand, geometry, and wrist, veins, and gate analysis - Heart token/soft tokens - Tokens can be hardware or software-based and are used to aid in providing authentication or for access is given - For example, a USB token could be used to prevent access to a machine until the token is provided - Access cards can be used simply as an identity badge, but they can also be turned to smartcards and used as a form of token - security key

Answer 89

- length - Enforcement links for passwords, limits week password - Complexity - force use of range of characters limits weak passwords - Reuse - prevent use of prior passwords, which would undermine purpose of setting a new password - Age - force change of password after specified length of time

Answer 90

- software that long, hard to remember text and password in an encrypted format - useful for keeping passwords different for each account while also being very long and complex - considering that it is putting all your eggs in one basket, so authenticating to a password manager should be very secure

Answer 91

- authentication system that does not rely on knowledge base factors - No password, no pin, no pictures, nothing to remember - utilizes tokens, keys, authenticator device, anything other than something you know

Answer 92

- workforce and multiplier - ability to be more productive with fewer personnel - consistency - No forgotten steps, scripting in automation will provide same outcomes, each run - Shorter reaction time - events can happen quick, often quicker than we can humanly react, - Having automated response, increased ability to respond

Answer 93

- workforce and multiplier - ability to be more productive with fewer personnel - consistency - No forgotten steps, scripting in automation will provide same outcomes, each run - Shorter reaction time - events can happen quick, often quicker than we can humanly react, - Having automated response, increased ability to respond

Answer 94

- Complexity - must have full understanding of the operations, systems, dependencies and interactions of systems to automate. Poor planning can create necessary, complexity, and make it hard to support. - cost - The time and effort of creating an automated ecosystem is enormous - single point of failure - if organization relies on a single script, it could have huge impact on administration of systems - technical debt - Without thoroughly implementing automation, small problems can creep into bigger problems, overtime - Ongoing support of code - supporting the script can be difficult, especially if the original author has moved on and or left no documentation

Answer 95

- Preparation - detection - Analysis - Containment - Eradication - Recovery - Lessons learned

Answer 96

- preparation - In this phase, response, plans, documents, teams, and resources are put in place prior to an attack - employee training - Exercise/drills - Resources allocated by policy - Hardening systems - Identification - this phase involves identifying if an incident has taken place and discovering as much information as possible regarding the events - Who caused the incident? - What were the effects? - How can the incident be stopped?

Answer 97

- containment - Is this stage, you want to prevent further damage to the environment and save as much data as possible by using the information gain in the identification step - Limit Internet access - Segment and network - Change passwords - Have a long and short term plan - Eradication - Once the problem is contained, you can work on removing it completely. This may require internal or external experts to examine and clean/remove all systems and files which were affected during the incident.

Answer 98

- recovery - Once the problem has been identified, contained and eradicated, you can get your environment back to normal - this involves making sure that it can be recovered, and that business operations can continue following an incident - Review/lessons learned - The final phase of the incident response process is when the incident and the success/failure. Various response methods are examined. - Determine what went wrong and what can be done to vented in the future - this is also a good time to evaluate how well your incident response plan work and if adjustments are needed

Answer 99

- **A Tabletop** is a discussion based exercise where personal go through their disaster, recovery rules and responsibilities. A tabletop exercise is done in a classroom setting to familiarize staff with the recovery procedures without actually simulating a disaster. - it is also possible to create like conditions to run fully simulated and in-depth test of the recovery process. Though these are often difficult to set up safely.

Answer 100

- process of discovering the cause of a problem that started an instant - Could be very easy and straightforward to identify - Could be extremely complex and require input from designer/technicians and engineers of the equipment

Answer 101

- process of productively and interactively searching through network/applications to detect isolate fans thread that evade existing security solutions

Answer 102

- illegal hold is the concept of retaining evidence which may be relevant in illegal battle, and any lapse in the chain of custody can cause evidence to be rendered useless in the court of law

Answer 103

- A process that tracks the movement of evidence through its collection, safeguarding, and anal Alicis life by document each person who handled the evidence. The date/time it was collected or transferred and the purpose for the transfer. - Tagging legal evidence and documenting it as it is discovered is imperative to upholding the integrity of evidence in court

Answer 104

- write blockers - in-line device that prohibits writing data to a hard drive. It electronically turns a normal drive into a read only drive. - devices may be certified to test their ability to prevent changes on the drive - hashing - create a hash or digital evidence. If one bit of this evidence is modified, the hatch will be completely different. - Determining the same is proof that the evidence was not tempered with

Answer 105

- Gathering all the information is necessary, but packaging that data into a full, intuitive format for easy comprehension by a specific audience is crucial - The report should be free from any opinion or conjecture. State just a fax as simply as possible. Avoid generalizations, illusions or Colorful language. Only stick to the fax but distill and present them in a digestible format to a pole to purpose of the report.

Answer 106

- investigation can take a long time to conclude. Especially true in courts, where cases may span years. - critical strategy is in placed to preserve the data and the evidence collected and insure property chain of custody remains a place to prevent tampering

Answer 107

- process of identifying, preserving, analyzing, reviewing a report, electronic information during litigation - Usually performed by a legal team and then reviewed for analysis. And digital forensics, forensics expert, analyze the electronic information in the report the discovery they make to a legal team. - E-discovery software usually does not go into as much detail about electronic information as a digital forensic expert may be able to find

Answer 108

- Data from logs - Log sources/types - Firewall - Endpoint - Operating system - IDS/IPS logs - network appliances - metadata

Answer 109

- Vulnerability scans - Automated reports - Dashboards - packet captures