Domain 7 Flashcards
Managing Security Operations
Why should employers make sure employees take their vacations?
A. They have a legal obligation.
B. It is part of due diligence.
C. It is a way for fraud to be uncovered.
D. To ensure employees do not get burned out.
C. Many times, employees who are carrying out fraudulent activities do not take the vacation they have earned because they do not want anyone to find out what they have been doing. Forcing an employee to take a vacation means that someone else has to do that person’s job and can possibly uncover any misdeeds.
Which of the following best describes separation of duties and job rotation?
A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person
cannot perform a high-risk task alone.
B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one
person knows the tasks of a position.
C. They are the same thing, but with different titles.
D. They are administrative controls that enforce access control and protect the organization’s resources.
B. Rotation of duties enables an organization to have more than one person trained in a position and can uncover fraudulent activities. Separation of duties is
put into place to ensure that one entity cannot carry out a critical task alone.
If a programmer is restricted from updating and modifying production code, what is this an example of?
A. Rotation of duties
B. Due diligence
C. Separation of duties
D. Controlling input values
C. This is just one of several examples of separation of duties. A system must be set up for proper code maintenance to take place when necessary, instead of
allowing a programmer to make changes arbitrarily. These types of changes should go through a change control process and should have more entities involved than
just one programmer
What is the difference between least privilege and need to know?
A. A user should have least privilege that restricts her need to know.
B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources.
C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know.
D. They are two different terms for the same issue.
C. Users should be able to access only the resources they need to fulfill the duties of their positions. They also should only have the level of permissions and rights
for those resources that are required to carry out the exact operations they need for their jobs, and no more. This second concept is more granular than the first,
but they have a symbiotic relationship.
Which of the following would not require updated documentation?
A. An antivirus signature update
B. Reconfiguration of a server
C. A change in security policy
D. The installation of a patch to a production server
A. Documentation is a very important part of the change control process. If things are not properly documented, employees will forget what actually took place with each device. If the environment needs to be rebuilt, for example, it may be done
incorrectly if the procedure was poorly or improperly documented. When new changes need to be implemented, the current infrastructure may not be totally
understood. Continually documenting when virus signatures are updated would be overkill. The other answers contain events that certainly require documentation.
A company needs to implement a CCTV system that will monitor a large area outside the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length
A. The depth of field refers to the portion of the environment that is in focus when shown on the monitor. The depth of field varies depending upon the size of
the lens opening, the distance of the object being focused on, and the focal length of the lens. The depth of field increases as the size of the lens opening decreases,
the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items, it is best to use a wide angle lens and a small lens opening
Which of the following is not a true statement about CCTV lenses?
A. Lenses that have a manual iris should be used in outside monitoring.
B. Zoom lenses carry out focus functionality automatically.
C. Depth of field increases as the size of the lens opening decreases.
D. Depth of field increases as the focal length of the lens decreases.
A. Manual iris lenses have a ring around the CCTV lens that can be manually turned and controlled. A lens that has a manual iris would be used in an area that has fixed lighting, since the iris cannot self-adjust to changes of light. An auto iris lens should be used in environments where the light changes, such as an outdoor
setting. As the environment brightens, this is sensed by the iris, which automatically adjusts itself. Security personnel will configure the CCTV to have a specific fixed
exposure value, which the iris is responsible for maintaining. The other answers are true statements about CCTV lenses
What is true about a transponder?
A. It is a card that can be read without sliding it through a card reader.
B. It is a biometric proximity device.
C. It is a card that a user swipes through a card reader to gain access to a facility.
D. It exchanges tokens with an authentication server
A. A transponder is a type of proximity-based access control device that does not require the user to slide a card through a reader. The reader and card
communicate directly. The card and reader have a receiver, transmitter, and battery. The reader sends signals to the card to request information. The card sends the reader an access code.
When is a security guard the best choice for a physical access control mechanism?
A. When discriminating judgment is required
B. When intrusion detection is required
C. When the security budget is low
D. When access controls are in place
A. Although many effective physical security mechanisms are on the market today, none can look at a situation, make a judgment about it, and decide what the next step should be. A security guard is employed when an organization needs to have a countermeasure that can think and make decisions in different scenarios.
Which of the following is not a characteristic of an electrostatic intrusion detection system?
A. It creates an electrostatic field and monitors for a capacitance change.
B. It can be used as an intrusion detection system for large areas.
C. It produces a balance between the electric capacitance and inductance of an object.
D. It can detect if an intruder comes within a certain range of an object.
B. An electrostatic IDS creates an electrostatic field, which is just an electric field associated with static electric charges. The IDS creates a balanced electrostatic field between itself and the object being monitored. If an intruder comes within a certain range of the monitored object, there is capacitance change. The IDS can
detect this change and sound an alarm.
What is a common problem with vibration-detection devices used for perimeter security?
A. They can be defeated by emitting the right electrical signals in the protected area.
B. The power source is easily disabled.
C. They cause false alarms.
D. They interfere with computing devices.
C. This type of system is sensitive to sounds and vibrations and detects the changes in the noise level of an area it is placed within. This level of sensitivity can cause many false alarms. These devices do not emit any waves; they only listen for sounds within an area and are considered passive devices.
Which of the following is not considered a delaying mechanism?
A. Locks
B. Defense-in-depth measures
C. Warning signs
D. Access controls
C. Every physical security program should have delaying mechanisms, which have the purpose of slowing down an intruder so security personnel can be alerted and
arrive at the scene. A warning sign is a deterrence control, not a delaying control.
What are the two general types of proximity identification devices?
A. Biometric devices and access control devices
B. Swipe card devices and passive devices
C. Preset code devices and wireless devices
D. User-activated devices and system sensing devices
D. A user-activated device requires the user to do something: swipe the card through the reader and/or enter a code. A system sensing device recognizes the presence of the card and communicates with it without the user needing to carry
out any activity.
Which is not a drawback of an intrusion detection system?
A. It’s expensive to install.
B. It cannot be penetrated.
C. It requires human response.
D. It’s subject to false alarms
B. Intrusion detection systems are expensive, require someone to respond when they set off an alarm, and, because of their level of sensitivity, can cause several
false alarms. Like any other type of technology or device, they have their own vulnerabilities that can be exploited and penetrated.
What is a cipher lock?
A. A lock that uses cryptographic keys
B. A lock that uses a type of key that cannot be reproduced
C. A lock that uses a token and perimeter reader
D. A lock that uses a keypad
D. Cipher locks, also known as programmable locks, use keypads to control access into an area or facility. The lock can require a swipe card and a specific combination that’s entered into the keypad.
If a cipher lock has a door delay option, what does that mean?
A. After a door is open for a specific period, the alarm goes off.
B. It can only be opened during emergency situations.
C. It has a hostage alarm capability.
D. It has supervisory override capability.
A. A security guard would want to be alerted when a door has been open for an extended period. It may be an indication that something is taking place other
than a person entering or exiting the door. A security system can have a threshold set so that if the door is open past the defined time period, an alarm sounds.
Use the following scenario to answer Questions 1–3. The startup company at which you are the director of security is going through a huge growth spurt and the CEO has decided it’s time to let you build out a security operations center (SOC). You already have two
cybersecurity analysts (one is quite experienced), a brand-new security information and
event management (SIEM) platform, and pretty good security processes in place.
1. The number of alerts on your SIEM is overwhelming your two analysts and many alerts go uninvestigated each day. How can you correct this?
A. Hire an intelligence analyst to help you focus your collection efforts.
B. Tune the SIEM platform to reduce false-positive alerts.
C. Establish a threat hunting program to find attackers before they trigger alerts.
D. Establish thresholds below which events will not generate alerts.
B. False positives are a very common problem with automated platforms like SIEMs, but they can be alleviated by fine-tuning the platform. An intelligence analyst could help a little bit but would clearly not be the best answer, while threat hunting would be a distractor for such a young SOC that still needs to get alerts
under control. Ignoring low-scoring alerts as a matter of policy would be a very dangerous move when dealing with stealthy attackers.
- You hire an intelligence analyst and want her to start addressing intelligence requirements. Which of the following should be her first step?
A. Finding out what questions decision-makers need answered
B. Establishing a collection management framework
C. Identifying data sources
D. Subscribing to a threat data feed
A. Threat intelligence is meant to help decision-makers choose what to do about a threat. It answers a question that these leaders may have. The CMF and data sources are all important, of course, but they are driven by the requirements that come out of leaders’ questions. After the requirements are known, the intelligence analyst may (or may not) need to subscribe to a threat data feed.
Your SOC is maturing rapidly and you are ready to start a cyberthreat hunting program. Which of the following describes the crux of this effort?
A. Proving or negating hypotheses of threat actions based on threat intelligence
B. Neutralizing threat actors before they can breach your organization
C. Digging deeper into the alerts to determine if they constitute security incidents
D. Allowing hunters an opportunity to observe techniques used by their adversaries
A. The crux of threat hunting is to develop a hypothesis of adversarial action based on threat intelligence, and then to prove or negate the hypothesis. Inherent in this description are two factors: a) the adversary is already inside the network, and b) no alerts tipped off the defenders to the adversary’s presence. These factors negate answers B and C. Answer D describes the purpose of a honeypot, not threat hunting.
A firewall that can only make decisions based on examining a single network layer header is called a
A. Stateful firewall
B. Screened host
C. Packet filter
D. Next-generation firewall
C. Packet filtering is a firewall technology that makes access decisions based upon
network-level protocol header values. The device that is carrying out packet-filtering processes is configured with access control lists (ACLs), which dictate the type of
traffic that is allowed into and out of specific networks.
A firewall that understands the three-step handshake of a TCP connection is called a
A. Packet filter
B. Proxy firewall
C. Transport-layer proxy
D. Stateful firewall
D. Stateful firewalls keep track of the state of a protocol connection, which means they understand the three-step handshake a TCP connection goes through
(SYN, SYN/ACK, ACK).
What is the main challenge with anomaly-based approaches to intrusion detection and prevention?
A. False positives
B. Needing a rule that accurately captures the attack
C. Cost
D. Immaturity of the technology
A. The main challenge with anomaly-based approaches is that of false positives—detecting intrusions when none happened. These can lead to fatigue and
desensitizing the personnel who need to examine each of these alerts. Despite this shortcoming, anomaly-based approaches are mature and cost-effective
technologies that are differentiated from rule-based systems by not needing rules that accurately capture attacks
Which of the following is an effective technique for tuning automated detection systems like IDS/IPS and SIEMs?
A. Access control lists
B. State tables
C. Whitelists
D. Supervised machine learning
C. One of the most effective ways to tune detection platforms like IDS/IPS is to develop lists of things that are definitely benign and those that are definitely malicious. The platform, then, just has to figure out the stuff that is not on either
list. A whitelist (more inclusively called an allow list) is a set of known-good resources such as IP addresses, domain names, or applications.
Which of the following terms would describe a system designed to ascertain a specific attacker’s intent and dynamically spawn multiple virtual devices that are
designed to be appealing to that particular attacker?
A. Honeypot
B. Honeyclient
C. Honeyseeker
D. Honeynet
D. Some honeynets are designed to ascertain a specific attacker’s intent and dynamically spawn honeypots that are designed to be appealing to that particular attacker. These very sophisticated honeynets are not networks of preexisting
honeypots, but rather adaptive networks that interact with the adversaries to keep them engaged (and thus under observation) for as long as possible.