Domain 7 Flash Cards

Question 1

Allowed/Blocked listing

Answer 1

allowed or blocked entities, register of entities that are being provided (or blocked) for a particular privilege, service, mobility, access or recognition including web, IP, geo, hardware address, files/programs; entities on the allowed list will be accepted, approved and/or recognized; deprecated AKA whitelist/blacklist; systems also alert IT security personnel an access attempt involves a resource not on a pre-approved list; can also incorporate anti-malware

Question 2

Alternate site

Answer 2

contingency or Continuity of Operations (COOP) site used to assume system or org operations, if the primary site is not available

Question 3

Backup

Answer 3

copies of files or programs to facilitate recovery

Question 4

Baseline

Answer 4

total inventory of all of a system’s components (e.g. hardware, software, data, admin controls, documentation, user instruction); types of baselines include enumerated (which are inventory lists, generated by system cateloging, discovery or enumeration), build security (minimal set of securtiy controls for each CI, see below), modification/update/patch baselines (subsets of total system baseline), or configuration baseline (which should include a revision/version identifier associated with each CI)

Question 5

Bastion host

Answer 5

a special-purpose computer on a network specifically designed and configured to withstand attacks; it is typically placed in a demilitarized zone (DMZ) or exposed network segment, and its primary function is to act as a gateway between an internal network and external, potentially untrusted networks (like the internet); key characteristics of a Bastion host include:

Hardened security: minimizing the number of running services and apps which reduces potential attack surfaces
Publically accessible: exposed to the internet or untrusted network, acting as the first point of contact for external users
Logging and monitoring: include extensive logging and monitoring to detect suspicious activity
Limited network access: typically has limited access to the internal network

Question 6

Change management

Answer 6

A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.

Question 7

Clipping

Answer 7

one of two main methods of choosing records from a large pool for ruther analysis, clipping uses threshold values to select those records exceeding a predefined threashold (also see sampling)

Question 8

Configuration management
(CM)

Answer 8

A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).

Question 9

Configuration Item (CI)

Answer 9

aggregation of information system components designated for configuration management and treated as a single entity in the config management process

Question 10

Cyber forensics

Answer 10

gathering, retaining, analyzing data for investigative purposes, while maintaining the integrity of that data

Question 11

Disruption

Answer 11

unplanned event that causes a system to be inoperable for a length of time

Question 12

DPI (Deep Packet Inspection)

Answer 12

a method used by firewalls and other network security devices to examine the data portion (or payload) of packets as they pass through the firewall; DPI goes beyond traditional packet filtering by not only inspecting the header information (such as source/destination IP addresses and port numbers) but also analyzing the content within the packet to identify and respond to security threats

Question 13

Egress monitoring

Answer 13

monitoring the flow of info out of an org’s boundaries

Question 14

Entitlement

Answer 14

refers to the privelege granted to users when an account is first provisioned

Question 15

Entity

Answer 15

any form of a user including hardware device, software daemon, task, processing thread or human, which is attempting to use or access system resources; e.g. endpoint devices are entities that human (or non-human) users use to access a system; should be subject to access control and accounting

Question 16

Event

Answer 16

observable occurance in a network or system

Question 17

Hackback

Answer 17

actions taken by a victim of hacking to compromise the systems of the alleged attacker

Question 18

Heuristics

Answer 18

method of machine learning which identifies patterns of acceptable activity, so that deviations from the patterns will be identified

Question 19

Honeypots/honeynets

Answer 19

Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy malicious or unauthorized intruders, as a means of delaying their attempts to access production data/assets.

Question 20

Incident

Answer 20

an event which potentially or actually jeopardizes the CIA of an information system or the info the system processes, stores, transmits

Question 21

Indicator

Answer 21

technical artifact or observable occurrence suggesting that an attack is imminent, currently underway, or already occured

Question 22

Indicators of Compromise (IoC)

Answer 22

a signal that an intrusion, malware, or other predefined hostile or hazardous set of events has or is occurring

Question 23

Information Security Continuous Monitoring (ICSM)

Answer 23

maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions; ongoing monitoring sufficient to ensure and assure effectiveness of security controls

Question 24

Information Sharing and Analysis Center (ISAC)

Answer 24

entity or collab created for the purposes of analyzing critical cyber and related info to better understand security problems and interdependencies to ensure CIA

Question 25

Intru sion detection system
(IDS)

Answer 25

A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access.

Question 26

Intrusion Prevention System
(IPS)

Answer 26

A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access.

Question 27

Job rotation

Answer 27

The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats.

Question 28

Least privilege

Answer 28

The practice of only granting a user the minimal permissions necessary to perform their explicit job function.

Question 29

Log

Answer 29

record of actions/events that have taken place on a system

Question 30

Media

Answer 30

Any object that contains data, bounded media is ethernet, fibre, coax. Unbounded media is wireless.

Question 31

Motion detector types

Answer 31

wave pattern motion detectors transmit ultrasonic or microwave signals into the montored area watching for changes in the returned signals bouncing off objects; infrared heat-based detectors watch for unusual heat patters; capacitance detectors work based on electromagnetic fields

Question 32

mean time between failure (mtbf)

Answer 32

is an estimation of time between the first and any subsequent failures

Question 33

mean time to failure (mttf)

Answer 33

is the expected typical functional lifetime of the device given a specific operating enviornment

Question 34

mean time to repair (mttr)

Answer 34

is the average length of time required to perform a repair on the device

Question 35

Need to know

Answer 35

Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization.

Question 36

Netflow

Answer 36

data that contains info on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity

Question 37

Parity bits

Answer 37

RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives

Question 38

Patch

Answer 38

An update/fix for an IT asset, it used to fix, remediate a vulnerability.

Question 39

Precursor

Answer 39

signal from events suggesting a possible change of conditions, that may alter the current threat landscape

Question 40

Regression testing

Answer 40

testing of a system to ascertain whether recently approved modifications have changed its performance, or if other approved functions have introduced unauthorized behaviors

Question 41

Request For Change (RFC)

Answer 41

documentation of a proposed change in support of change management activities

Question 42

Root Cause Analysis

Answer 42

principle-based systems approach for the identification of underlying causes associated with a particular risk set or incidents

Question 43

RTBH (Remote Triggered Black Hole)

Answer 43

a network security technique used in conjunction with firewalls and routers to mitigate Distributed Denial of Service (DDoS) attacks or unwanted traffic by dropping malicious or unwanted traffic before it reaches the target network; RTBH works by creating a “black hole route”, where packets destined for a specific IP address are discarded or “dropped” by the network equipment, effectively isolating malicious traffic

Question 44

Sandboxing

Answer 44

An isolated test environment that simulates the production environment but will not affect production components/data.

Question 45

Separation of duties

Answer 45

The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats.

Question 46

Striping

Answer 46

RAID technique; writing a data set across multiple drives. Striping

Question 47

Sampling

Answer 47

one of two main methods of choosing records from a large pool for ruther analysis, sampling uses statistical techniques to choose a sample that is representative of the entire pool (also see clipping)

Question 48

System Center Configuration Manager (SCCM)

Answer 48

is a Microsoft systems management software product that provides the capability to manage large groups of computers providing remote control, patch management, software distribution, operating system deployment, and hardware and software inventory

Question 49

Security Incident

Answer 49

Any attempt to undermine the security of an org or violation of a security policy is a security incident

Question 50

Secure Web Gateway (SWG)

Answer 50

a security solution that filters and monitors internet traffic for orgs, ensuring that users can securely access the web while blocking malicious sites, preventing data leaks, and enforcing web browsing policies; while it is not a traditional firewall, it complements firewall functionality by focusing specifically on web traffic security

Question 51

TCP Wrappers

Answer 51

a host-based network access control system used in Unix-like operating systems to filter incoming connections to network services; allows administrators to define which IP addresses or hostnames are allowed or denied access to certain network services, such as SSH, FTP, or SMTP, by controlling access based on incoming TCP connections; TCP Wrappers relies on two config files: /etc/hosts.allow, and /etc/hosts.deny

Question 52

Trusted Computing Base (TCB)

Answer 52

the collection of all hardware, software, and firmware components within an architecture that is specifically responsible for security and the isolation of objects that forms a trusted base

TCB is a term that is usually associated with security kernels and the reference monitor
a trusted base enforces the security policy
a security perimeter is the imaginary boundary that separates the TCB from the rest of the system; TCB components communicate with non-TCB components using trusted paths
the reference monitor is the logical part of the TCB that confirms whether a subject has the right to use a resource prior to granting access
the security kernel is the collection of the TCB components that implement the functionality of the reference monitor

Question 53

Tuple

Answer 53

tuple usually refers to a collection of values that represent specific attributes of a network connection or packet; these values are used to uniquely identify and manage network flows, as part of a state table or rule set in a firewall; as an example, a 5-tuple is as a bundle of five values that identify a specific connection or network session, which might include the sourced IP address, source port numbers, destination IP address, destination port number, and the specific protocol in use (e.g. TCP UDP)

Question 54

Uninterruptible power
supplies (UPS)

Answer 54

Batteries that provide temporary, immediate power during times when utility service is interrupted. ActiveX Data Objects (ADO)
Capability

Question 55

View-Based access controls

Answer 55

access control that allows the database to be logically divided into components like records, fields, or groups allowing sensitive data to be hidden from non-authorized users; admins can set up views by user type, allowing only access to assigned views