Domain 7: Assessment Management Flashcards
Name the 4 types of IDS events
- True positive
- True negative
- False positive
- False negative
- Types of IDS event
- A Worm spreading on a trusted network; NIDS alerts
True positive
- Types of IDS event
- User surfs the web to an allowed site; NIDS is silent
True negative
- Types of IDS event
- User surfs the web to an allowed site; NIDS alerts
False positive
- Types of IDS event
- A worm is spreading on a trusted network; NIDS is silent
False negative
- Type of NIPS
- Malicious traffic is identified and then “shot down”
Active response NIPS
- Type of NIPS
- Acts as a Layer 3-7 firewall device traffic flows through
Inline NIPS
Class of solutions that are tasked specifically with trying to detect or prevent data from leaving the organization in a unauthorized manner
Data loss prevention (DLP)
Name 4 endpoint security controls
- Antivirus
- Application whitelisting
- Removable media controls
- Disk encryption
- Endpoint Security Control
- App used to determine in advance which binaries are considered safe to execute on a given system
Application whitelisting
- The process of capturing a snapshot of the current system security configuration
- Can use helpful during a potential security incident
Baselining
Used to help mitigate the risks associated with hard disk failures
Redundant array of Inexpensive disks (RAID)
Achieves full data redundancy by writing the same data to multiple hard disks
Mirroring
- Increases read and write performance by spreading - data across multiple hard disks
- Writes can be performed in parallel across multiple disks rather than serially on one disk
Striping
- Achieves data redundancy calculating data in two drives and storing the results on a third
- After failed drive is replaces the RAID controller rebuilds the lost data from the other two drives
Parity
- RAID Level
- Block-level striping
- Employs stripping to increase performance of read and writes
- Stripping offers no data redundancy
RAID 0
- RAID Level
- Creates/writes an exact duplicate of all data to an additional disk
- Mirrored set
RAID 1
- RAID Level
- Legacy technology requires either 14 or 39 hard disks and a specially designed hardware controller
- Cost prohibitive
- Stripes at bit level
RAID 2
- RAID Level
- Byte-level striping
- Dedicated disk is leveraged for storage of parity info used for recovery from a failure
RAID 3
- RAID Level
- Block-level striping
- Employs a dedicated parity drive
RAID 4
- RAID Level
- Block-level striping
- Distributes the parity info across multiple disks
RAID 5
- RAID Level
- Block-level striping with double distributed parity
RAID 6
- RAID Level
- Combines disk mirroring and stripping to protect data
- Requires minimum of four disks
RAID 10
Multiple systems are configured so that in case of failure another can seamlessly take over and maintain availability to the service or application
High-availability cluster (aka Failover cluster)
- Each member actively processes data in advance of failure
- i.e. load balancing
Active-active HA cluster
Backup systems only begin processing data when a failure is detected
Active-passive cluster
- Goal is to ensure any changes does not lead to reduced or compromised security
- Makes it possible to roll back any changes to a previous secured state
Change management
- Form of nonstatistical sampling that record only events that exceed a threshold
- i.e. for a failed logon attempt an alarm can be raised only if five failed login attempts are detected within a 30-minute period
Clipping
- Typically addresses common concepts such as purpose, scope, and results discovered or revealed
- Reports that contain sensitive info should be assigned a classification label and handed appropriately
Audit reports
Ensures that object access and account management practices support security policy
Access review audit
Ensures that the principle of least privilege is followed and often focus on privileged accounts
User entitlement audits
