Domain 7: Security Operations Flashcards

1
Q

Incident Response Steps

A
Detection 
Response 
Mitigation
Reporting
Recovery
Remediation
Lessons Learned
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Detection

A

.(aka Identification)
.what are all of the inputs into my incident response process
.Events > Incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Response

A

.(aka Containment)
.steps-by-steps,depending upon classification and severity
.Forensic response?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Mitigation

A

.(aka Eradication)
.Root cause analysis completed
.Get rid of bad things

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Reporting

A

.More formal here

.Included incidents responders (technical and non technical)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Recovery

A

.Restore systems and operations

.Increase monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Remediation

A

.Broader in context

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Lessons Learned

A

.(aka Post-incident Activity, Post Mortem, Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Operational Preventing and Detective Controls

A
.IDS/IPS
.Firewall
.Security Services
.Anti-malware
.Honeypot
.Sandboxing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Positives and negatives

A

.True Positive: Conficker worm i spreading on a trusted network and NIDS alerts.

.True Negative: User surfs the web for an allowed site and NIDS is silent.

False Positive: User surfs the web to an allowed site, and NIDS alerts.

False Negative: Conflicker worm is spreading on a trusted network, and NIDS is silent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Continuous Monitoring

A

.Assessing and reassessing an ongoing process

.A modern improvement to legacy Certifications and Accreditations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Data Loss Prevention (DLP)

A

.Class of solutions used to detect and/or prevent data from leaving the organization
Host based, network based and application based solutions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Endpoint Security

A
HIDS/HIPS
Antivirus
Application Whitelisting (Most Effective)
Removable Media Controls
Disk Encryption
Privileged Access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Sandboxing

A

.Security mechanism for separating running programs, usually in an effort to mitigate systems failures and/or software vulnerabilities from spreading.
.Used to execute untested or untrusted programs or code possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operation system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Configuration management

A

.The goal is to move beyond the default systems configuration to on e that is both hardended and meets the operational requirements of the organization.

.Disabling unnecessary services
.Removing extraneous programs
.Enabling security capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Baselining

A

.The process of capturing a point in time understanding of the current systems security configuration

.Continuing baselining is important

17
Q

Change Management Process Steps

A
.Identifying a change
.Proposing a change
.Assessing the associated risk
.Testing the change (backout plan)
.Scheduling the change
.Notifying the impacted parties
.Implementing the change
.Reporting the results
18
Q

Backups

A

Full: a replica of all allocated data on a hard disk

Incremental: only archives files that have changed since the last backup of any kind was performed

Differential: backups any files that have changed since the last full backup.

19
Q

Redundant Array of Inexpensive Disks

RAID Levels

A

RAID 0: Striped Set (No redendancy)

RAID 1: Mirrored Set

RAID 3: Byte level striping with dedicated parity

RAID 4: Block level striping with dedicated parity

RAID 5: Block level striping with distributed parity

RAID 6: Block level striping with double distributed parity

RAID 1+0 or RAID 10:
>Nested RAID or Multi-RAID (one standard RAID level is encapsulated into another
>Configuration is a striped set of mirrors

20
Q

RAID - Mirroring

A

.Used to achieve full data redundancy by writing the same data to multiple disks

.Most costly

21
Q

RAID - Striping

A

.Increases the read and write performance by spreading data across multiple hard disks.
>parallelization provides a performance increase but does not aid in data redundancy

22
Q

RAID - Parity

A

Achieves data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance

23
Q

Business Continuity Planning (BCP)

A

.Goal is ensuring that the business will continue to
operate before, throughout, and after a disaster event is experienced
• Focus on the business as a whole
• A long-term strategy
• Takes into account items such as people, vital records, and processes in addition to critical systems

24
Q

Disaster Recovery Planning (DRP)

A

.more tactical in its approach
• Short-term plan for dealing with specific IT-oriented disruptions
• Provides a means for immediate response to disasters
• Does not focus on long-term business impact; short and medium-term disruption.

25
Q

Error and omissions

A

.Considered the single most common sources of disruptive events.

.Inadvertently caused by humans

.Data entry mistakes are an example of the errors and omissions

26
Q

Disaster Recovery Process Steps

A
.Respond
.Activate Team
.Communicate
.Assess
.Reconstitution
27
Q

BCP/DCP Steps (NIST 800-34)

A
.Project Initiation
.Scope the Project
.Business Impact Analysis
.Identify Preventative Controls
.Recovery Strategy
.Plan Design and Development
.Implementation, Training, and Testing
BCP/DRP Maintenance
28
Q

Project Initiation

A
  1. Develop the contingency planning policy statement: Provides the authority and guidance necessary to develop and effective contingency plan
  2. Conduct the business impact analysis: Help identify and prioritize critical IT systems and components
  3. Identify preventative controls: measures taken to reduce the effects of systems disruptions
  4. Develop recovery strategies: ensure quick recovery
  5. Develop IT contingency plan: detailed guidance and procedures for recovering damaged systems
  6. Plan testing, training, and exercises
  7. Plan maintenance: plan should be updated regularly
29
Q

Business Impact Analysis

A

.Formal method for determining how a disruption to the IT systems of as organization will impact the organization.

.Analysis to identify and prioritize critical IT systems and components

.Objective is to correlate IT systems components with the critical service it supports

.Aim is the quantify the consequence of a disruption to the system component and how that will affect the organization

.Determine the Maximum Tolerable Downtime (MTD) for and asset

.Also provides information to improve business processes and efficiencies because it details all of the organizations policies and implementation efforts

30
Q

MTD -Maximum Tolerable Downtime

A

.Total time that a system van be inoperable before and organization is severely impacted.

.It is also the maximum time it takes to execute the reconstitution phase.

.Comprised of two metrics
>Recovery Time Objective (RTO)
>Work Recovery Time (WRT)

31
Q

Failure and Recovery Metrics

A

.Used to quantify how frequently systems fail, how long a systems may exist in a failed state, and maximum time to recover from Failure

>Recovery Point Objective (RPO)
>Recovery Time Objective (RTO)
>Work Recovery Time (WRT)
Mean Time Between Failures (MTBF)
Mean Time To Repair (MTTR)
Minimum Operating Requirements (MOR)
32
Q

Recovery Point Objective (RPO)

A

.The amount of data loss or system inaccessibility (measured in time) that an organization can withstand.

.The maximum acceptable amount of data/work loss for a given process because of a disaster or disruptive event.

33
Q

Recovery Time Objective (RTO)

Work Recovery Time (WRT)

A

.RTO: the maximum time allowed to recover business or IT systems (system recovery time)

.WRT: the time required to configure a recovered system.

MTD= RTO+WRT