Domain 7: Security Operations

Question 1

Incident Response Steps

Answer 1

Detection 
Response 
Mitigation
Reporting
Recovery
Remediation
Lessons Learned

Question 2

Detection

Answer 2

.(aka Identification)
.what are all of the inputs into my incident response process
.Events > Incidents

Question 3

Response

Answer 3

.(aka Containment)
.steps-by-steps,depending upon classification and severity
.Forensic response?

Question 4

Mitigation

Answer 4

.(aka Eradication)
.Root cause analysis completed
.Get rid of bad things

Question 5

Reporting

Answer 5

.More formal here

.Included incidents responders (technical and non technical)

Question 6

Recovery

Answer 6

.Restore systems and operations

.Increase monitoring

Question 7

Remediation

Answer 7

.Broader in context

Question 8

Lessons Learned

Answer 8

.(aka Post-incident Activity, Post Mortem, Reporting

Question 9

Operational Preventing and Detective Controls

Answer 9

.IDS/IPS
.Firewall
.Security Services
.Anti-malware
.Honeypot
.Sandboxing

Question 10

Positives and negatives

Answer 10

.True Positive: Conficker worm i spreading on a trusted network and NIDS alerts.

.True Negative: User surfs the web for an allowed site and NIDS is silent.

False Positive: User surfs the web to an allowed site, and NIDS alerts.

False Negative: Conflicker worm is spreading on a trusted network, and NIDS is silent

Question 11

Continuous Monitoring

Answer 11

.Assessing and reassessing an ongoing process

.A modern improvement to legacy Certifications and Accreditations

Question 12

Data Loss Prevention (DLP)

Answer 12

.Class of solutions used to detect and/or prevent data from leaving the organization
Host based, network based and application based solutions

Question 13

Endpoint Security

Answer 13

HIDS/HIPS
Antivirus
Application Whitelisting (Most Effective)
Removable Media Controls
Disk Encryption
Privileged Access

Question 14

Sandboxing

Answer 14

.Security mechanism for separating running programs, usually in an effort to mitigate systems failures and/or software vulnerabilities from spreading.
.Used to execute untested or untrusted programs or code possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operation system.

Question 15

Configuration management

Answer 15

.The goal is to move beyond the default systems configuration to on e that is both hardended and meets the operational requirements of the organization.

.Disabling unnecessary services
.Removing extraneous programs
.Enabling security capabilities

Question 16

Baselining

Answer 16

.The process of capturing a point in time understanding of the current systems security configuration

.Continuing baselining is important

Question 17

Change Management Process Steps

Answer 17

.Identifying a change
.Proposing a change
.Assessing the associated risk
.Testing the change (backout plan)
.Scheduling the change
.Notifying the impacted parties
.Implementing the change
.Reporting the results

Question 18

Backups

Answer 18

Full: a replica of all allocated data on a hard disk

Incremental: only archives files that have changed since the last backup of any kind was performed

Differential: backups any files that have changed since the last full backup.

Question 19

Redundant Array of Inexpensive Disks

RAID Levels

Answer 19

RAID 0: Striped Set (No redendancy)

RAID 1: Mirrored Set

RAID 3: Byte level striping with dedicated parity

RAID 4: Block level striping with dedicated parity

RAID 5: Block level striping with distributed parity

RAID 6: Block level striping with double distributed parity

RAID 1+0 or RAID 10:
>Nested RAID or Multi-RAID (one standard RAID level is encapsulated into another
>Configuration is a striped set of mirrors

Question 20

RAID - Mirroring

Answer 20

.Used to achieve full data redundancy by writing the same data to multiple disks

.Most costly

Question 21

RAID - Striping

Answer 21

.Increases the read and write performance by spreading data across multiple hard disks.
>parallelization provides a performance increase but does not aid in data redundancy

Question 22

RAID - Parity

Answer 22

Achieves data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance

Question 23

Business Continuity Planning (BCP)

Answer 23

.Goal is ensuring that the business will continue to
operate before, throughout, and after a disaster event is experienced
• Focus on the business as a whole
• A long-term strategy
• Takes into account items such as people, vital records, and processes in addition to critical systems

Question 24

Disaster Recovery Planning (DRP)

Answer 24

.more tactical in its approach
• Short-term plan for dealing with specific IT-oriented disruptions
• Provides a means for immediate response to disasters
• Does not focus on long-term business impact; short and medium-term disruption.

Question 25

Error and omissions

Answer 25

.Considered the single most common sources of disruptive events.

.Inadvertently caused by humans

.Data entry mistakes are an example of the errors and omissions

Question 26

Disaster Recovery Process Steps

Answer 26

.Respond
.Activate Team
.Communicate
.Assess
.Reconstitution

Question 27

BCP/DCP Steps (NIST 800-34)

Answer 27

.Project Initiation
.Scope the Project
.Business Impact Analysis
.Identify Preventative Controls
.Recovery Strategy
.Plan Design and Development
.Implementation, Training, and Testing
BCP/DRP Maintenance

Question 28

Project Initiation

Answer 28

1. Develop the contingency planning policy statement: Provides the authority and guidance necessary to develop and effective contingency plan
2. Conduct the business impact analysis: Help identify and prioritize critical IT systems and components
3. Identify preventative controls: measures taken to reduce the effects of systems disruptions
4. Develop recovery strategies: ensure quick recovery
5. Develop IT contingency plan: detailed guidance and procedures for recovering damaged systems
6. Plan testing, training, and exercises
7. Plan maintenance: plan should be updated regularly

Question 29

Business Impact Analysis

Answer 29

.Formal method for determining how a disruption to the IT systems of as organization will impact the organization.

.Analysis to identify and prioritize critical IT systems and components

.Objective is to correlate IT systems components with the critical service it supports

.Aim is the quantify the consequence of a disruption to the system component and how that will affect the organization

.Determine the Maximum Tolerable Downtime (MTD) for and asset

.Also provides information to improve business processes and efficiencies because it details all of the organizations policies and implementation efforts

Question 30

MTD -Maximum Tolerable Downtime

Answer 30

.Total time that a system van be inoperable before and organization is severely impacted.

.It is also the maximum time it takes to execute the reconstitution phase.

.Comprised of two metrics
>Recovery Time Objective (RTO)
>Work Recovery Time (WRT)

Question 31

Failure and Recovery Metrics

Answer 31

.Used to quantify how frequently systems fail, how long a systems may exist in a failed state, and maximum time to recover from Failure

>Recovery Point Objective (RPO)
>Recovery Time Objective (RTO)
>Work Recovery Time (WRT)
Mean Time Between Failures (MTBF)
Mean Time To Repair (MTTR)
Minimum Operating Requirements (MOR)

Question 32

Recovery Point Objective (RPO)

Answer 32

.The amount of data loss or system inaccessibility (measured in time) that an organization can withstand.

.The maximum acceptable amount of data/work loss for a given process because of a disaster or disruptive event.

Question 33

Recovery Time Objective (RTO)

Work Recovery Time (WRT)

Answer 33

.RTO: the maximum time allowed to recover business or IT systems (system recovery time)

.WRT: the time required to configure a recovered system.

MTD= RTO+WRT