Domain 7: Security Operations

Question 1

Recommended height of a security fence

Answer 1

8 feet with barbed wire to keep most intruders out.

6-7 feet too hard to climb easily but won’t keep determined intruders out.

3-4 feet

Question 2

Smurf Attack

Answer 2

A Smurf attack spoofs the source IP address with the victim’s address and floods the broadcast address with internet control message protocol (ICMP) requests. This causes devices on the network to send an ICMP reply to the victim for each ICMP request sent by the attacker.

Question 3

Separation of Duties

Answer 3

Separation of duties allows for two or more people to play separate roles in the completion of a critical process. Two people serving separate functions at the same time within a holistic process can allow for auditing and accountability.

Question 4

MTD

Answer 4

Maximum tolerable Downtime

Question 5

SLE

Answer 5

Single Loss Expectancy

Question 6

RPO

Answer 6

Recovery Point Objective

Defines how much data can be lost in terms of time.

Question 7

Exposure Factor

Answer 7

The percentage of loss that an organization would experience if a specific asset were violated by a realized risk

Question 8

RTO

Answer 8

Recovery Time Objective.

Should NOT exceed MTD

Question 9

Duress Function

Answer 9

Covertly signal that the individual disarming the alarm system is being coerced to do so, even while the appearance of compliance is maintained.

Question 10

Syn Flood

Answer 10

In a SYN flood attack, a client exploits the TCP three-way handshake by only sending SYN packets but never responding. The volume of resources this consumes on the host eventually causes the host to become overwhelmed and unresponsive.

Question 11

Ping of Death

Answer 11

A Ping of death (PoD) attack is a denial-of-service (DoS) attack, in which the attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash. The original ping of death attack is less common today.

Question 12

Fraggle attack

Answer 12

DOS Attack similar to Smurf attack. Difference is that it uses UDP port 7 and 19 instead of ICMP.

Attacker spoof the source IP address so that UDP responses to there instead of to the attacker. DOS attack against that spoofed address.

Question 13

How long should it take to activate a hot site?

Answer 13

A few minutes to a few hours.

Question 14

How long should it take to activate a warm site?

Answer 14

Few hours to a few days.

Question 14

How long should it take to activate a cold site?

Answer 14

A few days to a few weeks.

Question 14

During a cybersecurity investigation, what is considered MOST important?

Answer 14

Preservation of Evidence

Question 15

How well lit should a parking lot or perimeter of building be?

Answer 15

Two foot-candles

A foot-candle is one lumen per square foot. The accepted standard for lighting used in parking lots or perimeters is a minimum of two foot-candles.

Question 16

Capacitance IDS

Answer 16

A capacitance intrusion detection system detects changes in the electromagnetic field around the sensor. When a person walks into the field, it disturbs the field’s electromagnetic properties and will set off the alarm.

Question 17

Configuration management

Answer 17

Configuration Management is used to ensure secure baselines on systems are adequately maintained, and any deviations are authorized and documented. Configuration Management seeks to establish safe, reliable configurations for systems.

Question 18

Change Management Plan

Answer 18

A Change Management Plan is a generic plan that documents how changes will be monitored and controlled. It defines the process for managing change in the project.

Question 19

Need to know principle

Answer 19

The need to know principle is used to determine if a user’s access to certain information is necessary to perform their job role sufficiently.

Question 20

RAID 1

Answer 20

Disk Mirroring. Requires at least 2 disks, with exact copies of the same data on each.

Question 21

EDRM

Answer 21

Electronic Discovery Reference Model.

Used in eDiscovery. Four phases

Identification

Collection

Processing

Review

Question 22

Full backup

Answer 22

Complete copy of the target system, file, or data structure.

Question 23

Differential backup

Answer 23

A differential backup captures changes since the last full backup.

Question 24

incremental backup

Answer 24

An incremental backup captures all the changes since the last full or incremental backup.

Question 25

Parallel Test

Answer 25

A parallel test includes performing all steps of a real recovery, except that you keep the live production systems running in the original location during the test. The actual production systems run in parallel with the disaster recovery systems.

Question 26

Most common type of perimeter defense.

Answer 26

Lighting

Question 27

Syn-Ack Spoofing (Control not attack)

Answer 27

Many NGFWs can spoof Syn-ack conversations on behalf of the target system. Once the far end has proven it’s real (by continuing the 3-way handshake) - then the traffic is passed along to the target host

Question 28

Statistical Sampling

Answer 28

Technique that can be used with Log analysis to reduce the sheer volume of logs to inspect.

Question 29

Passive Monitoring vs Active Monitoring

Answer 29

Passive Monitoring: Uses network tap or span port to capture traffic to analyze it without impacting the network.

Active Monitoring, AKA Synthetic Monitoring: USes recorded or generated traffic to test for performance and other issues.

Question 30

Signature based monitoring

Answer 30

Uses file signatures to review file danger. i.e. ips, ids, antimalware.

Question 31

Teardrop Attack

Answer 31

Exploits a flaw in a system’s ability to re-asseble oversized fragmented packets. Attacker sent oversized fraged packets that cause the victim system to crash when assembled.

OSG page 817

Question 32

Evidence requirements

Answer 32

Relevant to determining a fact

Material (related to ) to the case.

Competent - meaning obtained legally.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 913, 919-920.

Question 33

Remote Mirroring

Answer 33

When an exact copy of a database is maintained at an alternate location.

This is real-time

Question 34

Electronic Vaulting

Answer 34

Method of storing complete copy of DB in another location, but does NOT do so in real time.

Question 35

Remote Journaling

Answer 35

Realtime offsite duplication of database transaction logs, but NOT the DB itself.

Question 36

Transaction Logging

Answer 36

SEE OSG

Question 37

Clipping (alerting)

Answer 37

Analysis Technique that only reports alerts after exceeding a specific threshold. Specific form of sampling.

Question 38

Application Log

Question 39

System Log

Answer 39

Records system events, such as when a system starts or stops, or services start/stop, or when service attributes are modified.

Question 40

Can an IDS determine if an attack was successful or not?

Answer 40

Usually not- it doesn’t have direct access to see process information on target systems.

Question 41

Documentary Evidence

Answer 41

Documentary evidence consists of any written items that prove or disprove facts. Documentary evidence generally must be authenticated by firsthand evidence to prove the evidence’s trustworthiness.

Question 42

Real Evidence

Answer 42

AKA Object evidence.

Consists of thing that may actually be brought physically into the court of law. i.e. murder weapon, clothing, other physical objects.

In computer crime, may be a seized computer.

Question 43

Documentary Evidence Rules

Answer 43

Best Evidence Rules - states that the original document has to be introduced, not a copy.

Parol Evidence Rule - When an agreement between parties is put in written form, the document is assumed to contain all terms of the agreement and no verbal agreements may modify the written agreement.

Question 44

Testimonial Evidence

Answer 44

Witness testimony.

Question 45

Demonstrative Evidence

Answer 45

Used to support testimonial evidence.

Example, if a witness is explaining a network - they may use a network map as a demonstration device.

Question 46

Clipping (alerting)

Answer 46

The predetermined threshold for the number of errors, or the number of times an error occurs before it is considered suspicious

Question 47

Capacitance Motion Detector

Answer 47

A capacitance motion detector contains an electromagnetic field surrounding the device. When an object is present, changes to that field are detected and trigger an alarm.

Question 48

Wave Pattern motion detector

Answer 48

A wave pattern motion detector transmits a consistent low ultrasonic frequency signal into a monitored area to discover significant or meaningful changes or disturbances in the reflected pattern.

Question 49

Faraday bag

Answer 49

faraday bag prevents electromagnetic interference and the ability to remotely wipe or otherwise interact with a device remotely

Question 50

Should you analyze the original RAM or Hard drive?

Answer 50

NO - original evidence shouldn’t be touched beyond taking copies. Analyze the copies.

Question 51

Warded lock

Answer 51

Lock that uses obstructions to prevent the lock opening

Question 52

DHCP Snooping uses

Answer 52

Prevent ARP Poisoning attack.

Prevents rogue DHCP servers

Binds MAC addresses to IP addresses for trustworthiness.

Question 53

Direct Evidence

Answer 53

Direct evidence may come from witnesses who give oral testimony based on their observations. Direct evidence cannot be hearsay, which is second-hand testimony.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 913-916.

Question 54

Circumstantial evidence

Answer 54

Used to prove an intermediate fact used to assume another fact.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 913-916.

Question 55

Conclusive Evidence

Answer 55

Conclusive evidence is irrefutable and cannot be contradicted.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 913-916.

Question 56

Hierarchical Storage Management

Answer 56

Processof putting older backups on slower, cheaper forms of media - and newer backups on faster, more accessible forms of media.

Hierarchical Storage Management (HSM) system dynamically manages data across different storage media to optimize for access speed or media cost. This technology is frequently used in backup solutions. For example, a HSM will transfer last week’s backup from Solid-State Drives (SSDs) to spindle drives and, after a month, it may transfer it to tape.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 896.

Question 57

Do normal home/business insurance policies cover floods?

Answer 57

Not usually

Question 58

Proximity card

Answer 58

uses an electromagneticT coil for identification.

Question 59

SSAE18 and SOC

Answer 59

SSAE 18 is an attestation standard often used in SOC Audits.

Question 60

Impersonation - AKA Spoofing, AKA Masquerading

Answer 60

Act of taking on the identity of someone else.