Domain 7

Question 1

__ determines the MTD e.g. this server can only be down for 4 hours.

Answer 1

BIA (Business Impact Analysis) determines the MTD (Maximum Tolerable/Allowable Downtime)

Question 2

__ firewall is software-based and filters anything coming into or leaving your system e.g. Windows firewall, ZoneAlarm (Windows), Application Firewall (Mac OS X)

Answer 2

Host-based firewall

Question 3

__ firewalls are referred to as ACLs (Access Control Lists) on some devices.

Answer 3

Packet filtering firewall. It inspects layer 3 IP header and is not very secure.

Question 4

__ firewalls maintain a state table so they can allow a syn ack only if there was a corresponding syn. They are primarily focused on layers 3 and 4.

Answer 4

Stateful inspection firewall. Looks at port while inspecting Layer 4 TCP/UDP header

Question 5

__ focuses on dynamically provisioning resources to cloud services e.g. providing computing resources of anywhere from 1 to thousands of systems within minutes such as Amazon during Nov/Dec. Organizations typically pay per unit, not per virtual host (based on equivalent CPU capacity).

Answer 5

Elastic Cloud Computing

Question 6

__ host discovery is the most direct way to identify a host, typically with a simple ping sweep. An additional stimulus beyond ICMP Echo Request is required for hardened systems.

Answer 6

active

Question 7

__ Intrusion __ System can take measures on its own to control and minimize damage such as spoofing a reset to both sides of the connection. This will drop the connection to control the damage. It can also use an API to tell the firewall to block an IP address.

Answer 7

Active IDS can take measures on its own to control and minimize damage.

Question 8

__ IDS sends an alert but does not stop attack. __ IDS stops the attack, usually be sending resets.

Answer 8

passive, active

Question 9

__ is a client service such as client email like Gmail.

Answer 9

SaaS (Software as a Service)

Question 10

__ is a cloud-based VPS such as a Linux server

Answer 10

IaaS (Infrastructure as a Service), VPS (Virtual Private Server)

Question 11

__ is a passive sniffer/sensor for analyzing and alerting on attacks whereas __ is an inline device that can block and stop attacks.

Answer 11

IDS, IPS

Question 12

__ is a plan that provides detailed steps to restore critical information systems and data.

Answer 12

DRP (Disaster Recovery Plan)

Question 13

__ is a plan to avoid irreparable loss of mission critical operations.

Answer 13

BCP (Business Continuity Planning)

Question 14

__ is a server service such as Apache web service.

Answer 14

PaaS (Platform as a Service). Admins have control over the service config only, not the general OS e.g. can restart the web service but not the entire system.

Question 15

__ is a strategic ongoing plan focused on business processes with the goal of proactively fixing potential problems. It is an ongoing, strategic and over-arching plan.

Answer 15

BCP (Business Continuity Planning)

Question 16

__ is a subcomponent of BCP that is a reactive plan focused on recovery when normal business operations are interrupted.

Answer 16

DRP (Disaster Recovery Plan)

Question 17

__ is a type of data redundancy that is similar to remote journaling but provides additional robust backup by storing duplicate data on multiple remote storage devices.

Answer 17

Database shadowing: similar to journaling but stored on multiple devices

Question 18

__ is a type of testing where team members step through the plan looking for errors or false assumptions.

Answer 18

structured walkthrough testing or validity testing

Question 19

__ is how long a system/process can be down before the mission is impacted.

Answer 19

RTO (Recovery Time Objective)

Question 20

__ is how long the business will allow a disruption of mission critical functions.

Answer 20

MTD (Maximum Tolerable Downtime)

Question 21

__ is primarily concerned with evidence and proving in court whether or not someone did something.

Answer 21

Forensics

Question 22

__ planning is short-term focused (has a stop and start) while __ planning is long-term focused (continuous)

Answer 22

DRP, BCP

Question 23

__ software focuses on worms and viruses. __ might bundle the functionality of antispyware, HIPS, application whitelisting, antivirus.

Answer 23

antivirus, antimalware

Question 24

__ testing involves actually failing over operations to an alternate computing facility.

Answer 24

full interruption testing

Question 25

__ testing is a recovery to an alternate site with the main site still active

Answer 25

parallel testing involves actual recovery at an alternate computing facility but while normal operations are still maintained at the primary location.

Question 26

__ testing is simply reviewing the plan to ensure all areas are covered.

Answer 26

read-through testing, checklist testing or consistency testing

Question 27

__, __ and __ firewalls are all single connection while __, __ and __ firewalls are 2 connections.

Answer 27

Packet, Stateful, NGFWs are single connection. Application, Application-Level and Circuit Proxy are 2 connection firewalls.

Question 28

__is a subcomponent of BCP focused on rapid restoration of mission critical functions.

Answer 28

COOP (Continuing Operations Plan)

Question 29

A __ backup copies only files that have changed since the last full backup was last performed.

Answer 29

Differential backup

Question 30

A __ backup is the most efficient type of backup because it backs up the least amount of data each day.

Answer 30

Incremental backup

Question 31

A __ backup is used if time and tape space is at an extreme premium, and usually resets the archive bit on the files after they have been backed up.

Answer 31

Incremental backup

Question 32

A __ firewall develops a virtual connection between the host and destination, and typically sits at the session layer.

Answer 32

Circuit-Level Proxy Firewall, does NOT use application-level proxy software.

Question 33

A __ firewall hides the origin of a packet and is implemented on a computer by using proxy server software.

Answer 33

Application-Level Proxy Firewall

Question 34

A __ firewall is slower but more effective than a packet filtering firewall, and inspects ports.

Answer 34

SI (Stateful Inspection) firewall. Looks at port while inspecting Layer 4 TCP/UDP header

Question 35

A __ firewall is the slowest of all firewalls since it fully analyses the entire packet, going all the way up to layer 7 and then back down to layer 1.

Answer 35

Proxy firewall (or ‘Application proxy’ because it processes packets at all 7 layers). Breaks the connection into two pieces

Question 36

A __ firewall maintains one TCP connection with the client and one with the server.

Answer 36

Proxy firewall (or ‘Application proxy’ because it processes packets at all 7 layers). Breaks the connection into two pieces

Question 37

A __ is a system directly connected to the internet such as a firewall or router. It is directly exposed to attack.

Answer 37

Bastion host e.g. web, mail, FTP servers. A host computer in the public area or DMZ that is exposed to attack from the Internet.

Question 38

A __ testing is a walkthrough test that involves specific mock-up scenarios.

Answer 38

simulation or tabletop testing: team members respond as if an emergency is occuring. You may recover locations (emergency operations center and alternate sites) and enable communications liks while team members execute recovery steps in walk-through manner however you do not actually perform recovery actions (restore backups).

Question 39

A __ will run an executable in a sandbox before being run on the client to make sure it does not do any damage.

Answer 39

MDD (Malware Detonation Device) or Sandboxing

Question 40

A cloud-based service such as an Apache web service would be considered what?

Answer 40

PaaS (Platform as a Service). Admins have control over the service config only, not the general OS e.g. can restart the web service but not the entire system.

Question 41

A device that continuously monitors web server logs, firewall and proxy logs, system and event logs and many others is __. It is detective

Answer 41

SIEM (Security Information and Event Management)

Question 42

A false positive on __ which alerts on matching signatures can be an annoyance. A false positive on __ is a self-imposed DoS condition since it will block the traffic. This can potentially block business / revenue therefore false positives cannot be allowed in the config for this type of system.

Answer 42

IDS, IPS cannot allow false positives

Question 43

A firewall that uses 2 separate connections with the best security is __ firewall.

Answer 43

Application Proxy firewall, processes packets at all 7 layers

Question 44

A formalized agreement between two business entities to faciliate recovery after a disaster.

Answer 44

reciprocal agreement

Question 45

A honey__ is a server, Honey__ is a network. Honey__ is a file.

Answer 45

honeypot (server), honeynet (network), honey token (file)

Question 46

A inline device that is only alerting is an Intrusion __ System.

Answer 46

Prevention since inline, even though it is only alerting. The difference is how it is deployed.

Question 47

A major patch was released that exploits 99% of your systems. You received approval from executives to patch it even though the next CCB meeting isn’t until next week. What is the next step?

Answer 47

Present it at the next CCB meeting. Everything needs to be tracked in the CMDB (Change Management Database)

Question 48

A single connection firewall with the best security?

Answer 48

NGFW (Next Generation Firewall)

Question 49

A tangible object or physical evidence is known as __ evidence.

Answer 49

real evidence

Question 50

According to __ you can stop 80% of all attacks with which 4 items.

Answer 50

ASD (Austrailian Signals Directorate): patching OS, patching applications, application whitelisting, limiting and controlling admin access

Question 51

An oral testimony by a witness would be an example of __ evidence.

Answer 51

Direct

Question 52

__ includes a focused vulnerability assessment to determine the weaknesses to the business process that has to be recovered (smaller than full risk assessment).

Answer 52

BIA (Business Impact Analysis)

Question 53

Block-level striping is done at RAID __.

Answer 53

RAID 4,5,6

Question 54

Burden of proof for criminal action is __.

Answer 54

Beyond a shadow of a doubt or beyond a reasonable doubt

Question 55

Does RAID guarantee that if one drive fails, you will not lose information?

Answer 55

No because of RAID 0 which is for performance; RAID 1 and higher do meet that requirement.

Question 56

During an evacuation the __ is typically the first one out and responsible for beginning the process of accounting for all employees.

Answer 56

meeting point leader

Question 57

During incident handling, you should develop a report and send recommendations to management in the __ phase.

Answer 57

Lessons Learned Phase

Question 58

Evidence must be gathered legally or it can’t be used. This concept is called __.

Answer 58

Exclusionary rule

Question 59

Explain the following IDS events and two IDS equations.

Answer 59

“TP: attack (getting alert when you should; alert, attack), TN: normal traffic (no alert and you shouldn’t be getting an alert; no alert, no attack), FP (getting alert when you shouldn’t; alert, no attack), FN (not getting alert when you should; no alert, attack).
Trick: N implies ‘no alert’, P is ‘alert’; then false or true is whether that is correct
TP+FN=100% attack traffic, TN+FP=100% normal traffic so if TP (implying attack traffic) is 60% then FN is 40%”

Question 60

For data redundancy, __ is where a disk controller is duplicated so if one controller fails, the other controller operates. This does not denote multiple disks as baskups, but multiple disk controllers.

Answer 60

Disk duplexing

Question 61

For firewalls we start filtering at layer __ since MAC address change hop by hop but IP addresses stay the same through the path.

Answer 61

3

Question 62

For incident handling you should restore from backup in the __ phase. Make sure you do not restore compromised code.

Answer 62

Recovery phase

Question 63

For security you should keep an inventory for IPs and running apps but you would not need to do so for __

Answer 63

user accounts

Question 64

For the __ phase of incident handling you should fix the problem before putting the system back online.

Answer 64

Eradication phase

Question 65

For the __ phase of incident handling you should use SMART guidelines to determine whether an event is an incident.

Answer 65

Identification phase, SMART - Specific, Measurable, Acheiveable, Realistic, Timely

Question 66

How can we maximize the effectiveness of a firewall?

Answer 66

Make sure all connections are going through the firewall.

Question 67

If done at a byte level it is RAID __.

Answer 67

RAID 3

Question 68

If the TN for IDS events is 30% what is 70%. Is this the attack or normal traffic?

Answer 68

“FP, normal. TP: attack (getting alert when you should), TN: normal traffic (no alert and you shouldn’t be getting an alert), FP (getting alert when you shouldn’t), FN (not getting alert when you should)
TP+FN=100% attack traffic, TN+FP=100% normal traffic so if TP (implying attack traffic) is 60% then FN is 40%”

Question 69

If there are no other qualifiers on exam and ISC2 is just referring to normal mode IDS, they are referring to __ IDS.

Answer 69

passive IDS (monitor traffic and alert)

Question 70

If you are doing a live implementation of a circuit level firewall, however applications are not working e.g. ftp and telnet, what may you need to do?

Answer 70

The network utilities have to be ‘socksified’ to operate. Choose this answer if you get question like this on exam.

Question 71

If you are having trouble detecting unauthorized connectivity and need a preventative measure, you could use __ as an asset inventory of what devices can connect. To complement this and check the configuration of the devices you could use __.

Answer 71

802.1X, NAC (Network Access Control)

Question 72

If you currently have 4 drives and want to implement RAID-1 how many drives do you need in total?

Answer 72

8 because you need 1 backup drive for every 1 active drive (each new drive mirrors each original drive)

Question 73

If you need to patch a lot of systems e.g. 30/50/80K and if you don’t do it within 5 days a vulnerability is guaranteed to crash your systems. Should you patch all systems immediately or do an incremental rollout?

Answer 73

Incremental rollout. This is probably the number one question people get wrong since they answer that the patch should be released right away.

Question 74

If you want a firewall that breaks up a connection and optimizes performance which would you choose?

Answer 74

Circuit-Level Proxy Firewall, faster since it does not examine all 7 layers like a regular application proxy firewall.

Question 75

In __, allowed EXEs are cryptographically hashed and verified. If programs are not pre-verified, then they cannot run.

Answer 75

Application Whitelisting: doesn’t even care if a new malware binary is dropped into System32. The focus is on executables, applications, binaries once they attempt execution.

Question 76

In a __ backup the file’s archive bit is not reset until the next full backup.

Answer 76

Differential backup

Question 77

In addition to considering an alternate location for recovery, many __ plans will take into account the possibility of running in the “recovered” state for 30 or more days.

Answer 77

COOP (Continuing Operations Plan)

Question 78

In CCB each person has veto power however the __ can override the decision if they determine it’s best for the business.

Answer 78

data owner

Question 79

In RAID if it is done at a bit level it is RAID __.

Answer 79

RAID 2

Question 80

In terms of data redundancy, __ is a batch process where data is transmitted through communication lines to storage on a remote server e.g. performed every evening at a specific time

Answer 80

Electronic vaulting

Question 81

In the __ phase of incident handling you should make a clean binary backup of the system. In the __ phase you should secure the area, make a backup, change passwords and optionally pull the system off the network.

Answer 81

Identification phase, Containment

Question 82

Infrastructure with computers and the latest data is a __ site.

Answer 82

hot site: fully functioning alternative data center with the latest information (fully redundant)

Question 83

Infrastructure with computers but not the lastest data is a __ site.

Answer 83

warm site: so you would need to backup/restore

Question 84

Infrastructure with no computers is a __ site.

Answer 84

cold site: basic infrastructure (walls, maybe some desks), no computers, basically a building

Question 85

My cousin’s sister’s friend gave me this actual business document. This is an example of __.

Answer 85

hearsay

Question 86

Name the types of BCP testing.

Answer 86

read-through/checklist/consistency testing (simply reviewing plan to ensure all areas are covered), structured walk-through or validity testing (team members step through plan looking for errors or false assumptions), simulation or tabletop (walkthrough test that involves specific mock-up scenarios), parallel (recovery to an alternate site with main site still active), full interruption (actual failover to the alternate computing facility)

Question 87

Printed business records, manuals and printouts are examples of __ evidence.

Answer 87

documentary evidence

Question 88

RAID __ increases flexibility in the implementation and fault tolerance because there is no longer a single point of failure when it comes to parity.

Answer 88

RAID 5

Question 89

RAID __ is often called interleave parity

Answer 89

RAID 5

Question 90

RAID __ is often referred to as striping

Answer 90

RAID 0

Question 91

RAID __ is the simplest, least optimized form of RAID and requires a one-to-one disk ratio.

Answer 91

RAID 1

Question 92

RAID __ uses a dedicated parity drive and is implemented at the block level.

Answer 92

RAID 4

Question 93

RAID implementations go from bit to byte to block. The smaller the unit (bit) the more granular errors can be tracked and the less amount of data has to be replicated, however what is the downside of smaller units?

Answer 93

Less efficient because more information has to be tracked.

Question 94

Recovering an organization whenever an adverse event interrupts normal business operations is called __.

Answer 94

IR (Incident Response). You want to minimize damage and get back to a normal operating state

Question 95

Regarding search and seizure, __ is issued by a court to law enforcement for tangible objects. __ is issued by a court to an individual.

Answer 95

search warrant, subpoena (if you violate and don’t show to court you could get arrested and go to jail)

Question 96

Server clustering is similar to redundant servers except that all the services in the cluster are __ and take part in __. The cluster acts as a single entity and balances the load to improve performance.

Answer 96

online, processing service requests

Question 97

SOCKS is the most common example of a __ firewall and is used to authenticate a client.

Answer 97

Circuit-Level Proxy Firewall, does NOT use application-level proxy software.

Question 98

Summarize the RAID levels

Answer 98

“RAID 0 (striped set, no redundancy), RAID 1 (mirrored set, fully redundant), RAID 2 Obsolete, bit interleaved, hamming code), RAID 3 (dedicated parity, byte-level striping), RAID 4 (dedicated parity, block-level striping), RAID 5 distributed parity, block-level striping), RAID 6 (double distributed parity, block-level striping)
‘RAID Summary - D7 pg 146”””

Question 99

The __ deals with the restoration or continued operations of the business processes whereas the __ deals with the restoration of the critical information systems that support the business processes.

Answer 99

BCP, DRP

Question 100

The __ involves collection and identification, storage/preservation/transportation, presentation in court, and returning to the victim (owner).

Answer 100

Evidence Life Cycle

Question 101

The __ is ultimately responsible for an evacuation and is the last one out

Answer 101

safety warden: often a company officer or executive

Question 102

The __ is where the cost to recover and the cost of disruption meets.

Answer 102

Cost Balance Point D7 pg 164

Question 103

The __ phase of incident handling includes updating the disaster recovery plan and providing checklists and procedures.

Answer 103

Preparation, D7 pg 104

Question 104

The __ rule is to limit the potential for alteration.

Answer 104

Best evidence rule

Question 105

The BIA uses information from the __ to prioritize business functions and calculate business impact.

Answer 105

vulnerability assessment: identifies critical business functions; results are used as input to recovery strategy

Question 106

The error checking for RAID level 2 is done through parity information created using a __ which detects errors and establishes which part of which drive is in error.

Answer 106

hamming code

Question 107

The fastest type of firewall is __

Answer 107

Packet filtering firewall. It inspects layer 3 IP header and is not very secure.

Question 108

The key differentiating feature of __ firewall versus traditional firewalls is that this type can understand and filter specific client-side application capabilities.

Answer 108

NGFW (Next Generation Firewall)

Question 109

The primary focus of __ is on taking files and rendering/executing them in advance of passing them to the target.

Answer 109

MDD (Malware Detonation Device) or Sandboxing

Question 110

There are some exceptions however most business records that are generated electronically fall under the __ rule and are considered to be unreliable and inaccurate simply because there is no way to prove otherwise.

Answer 110

Hearsay Rule

Question 111

Third-party or second-hand evidence can also be called __ and under the US Federal Rules of Evidence, it is inadmissable in court. An exception is business documents and public records e.g. my sister’s cousin’s friend gave me this actual business document.

Answer 111

hearsay

Question 112

This most effective firewall looks at layer 7 application headers, uses a single connection and is the slowest firewall.

Answer 112

NGFW (Next Generation Firewall)

Question 113

This type of data redundancy transmits data in real-time or near real-time to backup storage at a remote location.

Answer 113

Remote journaling: data written to second system in close to real time

Question 114

This type of firewall is overtly instrumented to handle layer 7 aspects. An example of a __ firewall would be blocking facebook chat for all end users except a few executives due to data exfiltration.

Answer 114

NGFW (Next Generation Firewall)

Question 115

This type of RAID is commonly called mirroring because it mirrors data from one disk to another.

Answer 115

RAID 1

Question 116

This type of RAID stripes data across disks but provides no redundancy. It is good for performance.

Answer 116

RAID 0

Question 117

This type of RAID uses a dedicated parity drive and is implemented at the byte level.

Answer 117

RAID 3

Question 118

Three types of NIDS are __.

Answer 118

Signature Matching, Protocol Behavior, Anomaly Detection

Question 119

To implement RAID __ you need a total of 39 disks, 32 for data storage and 7 for error recovery of that data. This method is performed at a bit level and therefore is not as efficient as other methods.

Answer 119

RAID 2

Question 120

Today’s adversaries are so advanced that no single log may indicate an attack however if you correlate logs using this type of monitoring tool, you may be able to see unusual patterns and identify the adversary.

Answer 120

SIEM (Security Information and Event Management)

Question 121

Using a model, chart or illustration to aid the jury is an example of __ evidence.

Answer 121

demonstrative evidence

Question 122

We use the __ numbering system to uniquely tag and identify data, for instance so it could be recovered as part of the eDiscovery process.

Answer 122

Bates numbering system

Question 123

What is necessary in order for audit information to be useful when handling employee issues?

Answer 123

It needs to be reviewed regularly; everything else is secondary (centrally managing the logs, etc), if they’re not reviewed, nothing else will matter

Question 124

What is required for centralized logging to work properly?

Answer 124

NTP (Network Time Protocol) server must be used. If you have centralized logging but no consistent time source you cannot correlate.

Question 125

What is the best way to secure a service?

Answer 125

Best answer is to turn the service off or uninstall it. Secondary is to agressively apply patches.

Question 126

What is the golden rule of change management.

Answer 126

All changes must go through the CCB. If emergency, you can still make emergency changes as long as you present it at the next meeting.

Question 127

What is the only RAID level that requires an exact number of drives?

Answer 127

RAID 2

Question 128

What is the primary reason for centralized logging?

Answer 128

To get the logs off the system as quick as possible to prevent adversary from covering their tracks aka protection/safety of the logs. Do NOT pick correlation of the logs which would only be a secondary reason.

Question 129

What is the process for Incident Handling?

Answer 129

“Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. remember ‘PIC ERL’
D7 pg 102”

Question 130

What must be true about audit trails in order to safely use them in employee terminations?

Answer 130

They are reviewed on a regular basis

Question 131

What RAID level is now obsolete?

Answer 131

RAID 2

Question 132

When a vendor releases a patch they are telling the world there is a vulnerability. If the adversary can break in before the patch is applied he wins, if you patch before they break in, you win. What is this called?

Answer 132

Race condition

Question 133

When looking at a threat you need to identify the source of the threat which is typically __ and the cause of damage which is normally __.

Answer 133

external, internal (insider in organization) e.g. user clicking email that allowed adversary a pivot point to break in. need to differentiate since you will remediate the issue differently depending on the cause

Question 134

Which RAID is the first to intermix drives that have both data and parity?

Answer 134

RAID 5

Question 135

Which RAID(s) use one set of drives for data and separate drive(s) for error recovery codes?

Answer 135

RAID 2,3,4

Question 136

Which RAID systems will guarantee that even if one drive fails, you will NOT lose information.

Answer 136

RAID 1 and higher. You WILL lose information with RAID 0 which is for performance

Question 137

With __ host discovery we employ a sniffer and simply look for evidence of traffic indicative of systems.

Answer 137

passive

Question 138

Which backup method does not reset the archive bit on files that are backed up?

Answer 138

Differential backup

Question 139

An advantage of a __ backup is that if your system needs to be restored, it only requires two tapes.

Answer 139

Differential backup

Question 140

This ‘additive backup method’ is additive in the fact that it does not reset the archive bit so all changed or added files are backed up in every backup until the next full backup.

Answer 140

differential backup

Question 141

A __ backup is the most efficient type of backup because it backs up the least amount of data each day.

Answer 141

Incremental backup

Question 142

This type of backup requires the most tapes.

Answer 142

Incremental backup