Domain 7 Security Operations Flashcards
What is the 8-step lifecycle of Incident Management?
- Preparation
- Detection (Identification)
- Response (Containment)
- Mitigation (Eradication)
- Reporting
- Recovery
- Remediation
- Lessons Learned
What type of IPS response prevents authorised traffic?
False Positive
Our Intrusion Prevention Systems (IPS) has blocked permitted traffic. What is this an example of?
False Positive
When our Intrusion Prevention Systems (IPS) allows permitted traffic pass, that is an example of what?
True Negative
Our Intrusion Prevention Systems (IPS) has blocked malicious traffic. What is this an example of?
True positive
What type of control is application whitelisting?
Preventative and (Detective)
What type of control is configuration management?
Preventive
What are some asset management techniques?
Configuration Management
Patch Management
Change Management
What is the generalised flow of Change Management?
- Identify the change
- Propose the change.
- Assess the change (i.e. risks, impacts, benefits)
- Provisional change approval
- Testing the change (roll back if fail)
- Schedule the change
- Change notification for impacted parties
- Implementing the change
- Post implementation reporting
Lessons Learned
What is one of the most important way to ensure fault tolerance?
Backing up of data.
What is a copy backup?
Essentially a full backup but does not flip the archive bit back to 0.
Does RAID 0 provide fault tolerance?
No
How many disk failures can RAID 5 take?
Only one.
What common temperature should data centres be kept at?
66-77 F (20-25C)
What is the allowable temperature range for data centers?
59-90 F (15-32 C)
What should the humidity be kept in for data centers?
40-60%
What is the RPO?
Recovery Point Objective - Acceptable amount of data that cannot be recovered. i.e. the maximum tolerable data loss for each system.
What is the Maximum Tolerable Downtime (MTO)?
Total time a system can be inoperable before org is severely impacted
MTD > RTO + WRT
What is RTO?
Recovery Time Objective - Time to restore the system (hardware)
What is WRT?
Work Recovery Time - Time required to configure a recovered system.
What is the MTBF?
Mean Time Between Failures - how long a new or repaired system or component will function on average before failing
What is the MTTR?
How long it will take to recover a failed system.
What is the MOR?
Minimum Operating Requirements - minimum environmental and connectivity requirements for our critical system to function.
What is the COOP?
Continuity of Operations Plan
How we keep operating in a disaster, how do we get staff to alternate sites, what are all the operational things we need to ensure we function.
What is the BRP?
Business Recovery Plan - Steps needed to take to restore normal business after recovering from a disruptive event.
This could be going from failover site to primary site.
What is the rescue team in BCP?
Responsible for dealing with the disaster at it happens. Evacuates employees, notifies the appropriate personnel, pulls the network from the infected server, shuts down system and initial damage assessment.
What is the recovery team in BCP?
- Responsible for getting the alternate site up and running as fast as possible or for getting the systems rebuilt. They get the most critical systems up first.
What is the salvage team?
- Responsible for returning full infrastructure, staff and operations to the primary site or new facility of old site is destroyed.
- They get the least critical systems up first.
What is the BCP Framework?
NIST 800-34 - Contingency Planning Guide for Federal Information Systems
What is the difference between BIA and BCP?
A business continuity plan (BCP) describes what steps must be taken in case of an outage or disruption, whereas a BIA identifies the risk that could prompt the outage as well as the critical business functions that could be impacted by the outage and prioritizes these for recovery.
