Domain 7: Security Operations Flashcards

1
Q

Alternate Site

A

A general term for a contingency or continuity of operations (COOP) site used to assume system or organizational operations if the primary site is not usable for period.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Backup

A

A copy of files and programs made to facilitate recovery, if necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Baseline

A

The total inventory of all of a system’s components, including hardware, software, data, administrative controls, documentation, or user instructions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Baselining

A

Creating a total inventory of a system, component by component, part by part.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Blocked Listing and Allowed Listing (software, identities, addresses)

A

Use of lists of blocked or allowed identities, whether as users, URLs, URIs, web addresses, IP addresses, geographic regions, hardware addresses, files, or programs, as a means of controlling (prohibiting or permitting) their access, use, or attempt to load and execute.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Change Management

A

The formal process an organization uses to transition from the current state to a future state. This typically includes mechanisms to request, evaluate, approve, implement, verify, and learn from the change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Configuration Item

A

1.- An aggregation of information system components designated for configuration management (CM) and treated as a single entity in the CM process. 2.- Item or aggregation of hardware, software, or both, which is designated for configuration management and treated as a single entity in the CM process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Configuration Management (CM)

A

A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Cyber Forensics

A

The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Disaster Recovery (DR)

A

The ability to provide IT services following an interruption, often at an alternate location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Disruption

A

An unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network or equipment, or facility damage or destruction).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Egress Monitoring

A

Monitoring the flow of information out of an organization’s control boundaries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Entity

A

Any form of user, such as a hardware device, software daemon, task, processing thread, or human, that is attempting to use or access systems resources. Endpoint devices, for example, are entities that human (or nonhuman) users make use of in accessing a system. Should be subject to access control and accounting. See also User and Entity Behavior Analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Eradication

A

In incident response, the activities that remove the cause of the incident from the environment. This often requires the use of a formal root cause analysis process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Event

A

Any observable occurrence in a network or system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

False Positive

A

Incorrectly classifying a benign activity, system state, or configuration as malicious or vulnerable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Forensics, Cyber Forensics

A

The examination of evidence related to suspected criminal activity. Cyber forensics refers to investigations of such activities involving information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Full Backup

A

Copies the entire system to backup media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Hackback

A

Actions taken by a victim of hacking to compromise the systems of the alleged attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Hardening

A

A reference to the process of applying secure configurations (to reduce the attack surface) and locking down various hardware, communications systems, and software, including operating system, web server, application server, application. Hardening is normally performed based on industryguidelines and benchmarks such as those provided by the Center for Internet Security (CIS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Honeypots/ Honeynets

A

Machines that exist on the network, but do not contain sensitive or valuable data; they are meant to distract and occupy malicious attackers or unauthorized intruders, as a means of delaying their attempts to access production data/assets. Several machines of this kind, linked together as a network or subnet, are referred to as a honeynet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Hot Site

A

A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Incident

A

An event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Incident Response

A

The mitigation of violations of security policies and recommended practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Incident
The event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
26
Indicator
A technical artifact or observable occurrence that suggests an attack is imminent or is currently underway, or that a compromise may have already occurred.
27
Indicators of Compromise (IoC)
A signal that an intrusion, malware, or other predefined hostile or hazardous set of events is occurring or has occurred.
28
Information Security Continuous Monitoring (ISCM)
Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. [Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.] Ongoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance, and within a reporting structure designed to make real-time, data-driven risk-management decisions.
29
Information Sharing and Analysis Center (ISAC)
Any entity or collaboration created or employed by public- or private-sector organizations, for purposes of gathering and analyzing critical cyber and related information to better understand security problems and interdependencies related to cyber systems, to ensure their availability, integrity, and reliability.
30
Intrusion
A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so.
31
Intrusion Detection System (IDS)
A security service that monitors and analyzes network or system events for the purpose of finding and providing real-time or near-real-time warning of attempts to access system resources in an unauthorized manner.
32
Intrusion Prevention Systems (IPS)
A security service that uses available information to determine if an attack is underway; it then sends alerts but also blocks the attack from reaching its intended target.
33
Log
A record of actions and events that have taken place on a computer system.
34
Precursor(s)
Signals from events that suggest a possible change of conditions (internal or external to the organization) may alter the current threat landscape. An increase in tensions in local political or social environments, or complaints or grievances by employees or customers going viral in social media, are examples of precursors.
35
Provisioning
Taking a particular configuration baseline, making additional or modified copies of it, then taking steps as necessary to properly place those copies into the environments they should belong in.
36
Ransom Attack
Any form of attack that threatens the destruction, denial, or unauthorized public release or remarketing of private information assets. Usually involves encrypting these assets and withholding the decryption key until the ransom is paid by the victim.
37
Ransomware
Malware used for the purpose of facilitating a ransom attack.
38
Recovery
The process of jointly addressing business resiliency and restoration of critical infrastructure and functionality after a disruption.
39
Regression Testing
Testing of a system to ascertain whether recently approved modifications have changed its performance of other approved functions or has introduced other unauthorized behaviors.
40
Remediation
Changes to a system’s configuration to immediately limit or reduce the chance of recurrence of an incident. This might include updating the sensitivities, thresholds, or alarm settings on any number of security controls, or instituting a rapid reset of access controls information such as passwords and security challenge responses.
41
Request for Change (RFC)
The documentation of a proposed change in support of change management activities.
42
Root Cause Analysis
A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks or incidents.
43
Sandbox
A testing environment that is logically, physically, or virtually isolated from other environments, and in which applications or systems can be evaluated. Sandboxes can be used as part of development, integration, or acceptance testing (so as to not interact with the production environments), as part of malware screening, or as part of a honeynet.
44
Threat Intelligence
Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
45
User and Entity Behavior Analytics (UEBA)
Analysis of behaviors and activities of human and nonhuman users, and of the software and hardware entities associated with those users and activities, as a way of detecting inappropriate or unauthorized activity, including fraud detection, malware, and insider attacks.
46
Vulnerability Management
The activities necessary to identify, assess, prioritize, and remediate information system weaknesses.
47
secure facility plan
A guide that outlines the security needs of your organization and emphasizes methods or mechanisms to employ to provide security. Such a plan is developed through risk assessment and critical path analysis.
48
critical path analysis
A systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements.
49
technology convergence
The tendency for various technologies, solutions, utilities, and systems to evolve and merge over time. Often this results in multiple systems performing similar or redundant tasks or one system taking over the features and abilities of another. Though in some instances this can result in improved efficiency and cost savings, it can also represent a single point of failure and become a more valuable target for malicious hackers and intruders.
50
industrial camouflage
The attempt to mask or hide the actual function, purpose, or operations of a facility by providing a façade presenting a believable or convincing alternative.
51
crime prevention through environmental design (CPTED)
Guidelines that encourage architects and build-out designers to improve security through building elements. The concept of designing the structure of the physical environment and surroundings to influence individual decisions that potential offenders make before committing any criminal acts. This includes taking advantage of natural surveillance, access control, and territorial reinforcements.
52
natural access control
A crime prevention through environmental design (CPTED) concept of the subtle guidance of those entering and leaving a building through placement of entranceways, use of fences and bollards, and placement of lights.
53
natural surveillance
The crime prevention through environmental design (CPTED) concept that involves any means to make criminals feel uneasy through the increase of opportunities for them to be observed. This can be accomplished by an open and obstaclefree outside area, especially around entrances, with clear lines of sight.
54
natural territorial reinforcement
The crime prevention through environmental design (CPTED) concept where there is an attempt to make the area feel like an inclusive, caring community. The area should be designed so that it looks cared for and respected and that it is actively being defended.
55
administrative physical security controls
Security controls that include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.
56
cable plant management policy
The policy governing the collection of interconnected cables and intermediary devices (such as cross-connects, patch panels, and switches) that establish the physical network.
57
transponder proximity device
A mechanism that is self-powered and transmits a signal received by the reader. This can occur consistently or only at the press of a button (like a garage door opener or car alarm key fob). Such devices may have batteries or capacitors, or may even be solar powered.
58
proximity reader
A passive device, field-powered device, or transponder that detects the presence of authorized personnel and grants them physical entry into a facility. The proximity device is worn or held by the authorized bearer. When they pass a proximity reader, the reader is able to determine who the bearer is and whether they have authorized access.
59
proximity device, proximity card
A security device used to manage or control physical access. It can be a passive device, a field-powered device, or a transponder.
60
passive proximity device
A mechanism that has no active electronics; it is just a small magnet with specific properties (like antitheft devices commonly found in or on retail product packaging). A passive device reflects or otherwise alters the electromagnetic (EM) field generated by the reader device. This alteration is detected by the reader device, which triggers the alarm, records a log event, or sends a notification.
61
sensitive compartmented information facility (SCIF)
A secure or restricted work area often used by government and military agencies, divisions, and contractors to provide a secure environment for highly sensitive data storage and computation. The purpose of an SCIF is to store, view, and update sensitive compartmented information (SCI), which is a type of classified information
62
transient noise
A short duration of line noise disturbance.
63
radio frequency interference (RFI), radio-frequency interference
The by-product of electrical processes, similar to electromagnetic interference (EMI). The major difference is that RFI is usually projected across a radio spectrum.
64
electromagnetic interference (EMI)
The interference that can occur during transmissions over copper cable due to electromagnetic energy outside the cable. The result is degradation or loss of the signal. A type of electrical noise that can do more than just cause problems with how equipment functions; it can also interfere with the quality of communications, transmissions, and playback.
65
rate-of-rise detection
A fire detection system that detects the fire and triggers the release of the suppression medium when the speed at which the temperature changes reaches a specific level or rate. These are often digital temperature measuring devices, which can be fooled by HVAC heating during winter months and thus are not widely deployed.
66
flame-actuated detection
A fire detection system that detects a fire and triggers the release of the suppression medium based on the detection of the infrared energy of flames. This mechanism is fast and reliable but often fairly expensive. Thus, it is often only used in high-risk environments.
67
fixed-temperature detection
A fire detection system that detects a fire and triggers the release of the suppression medium when a specific temperature is reached. This is the most common type of detector and present in most office buildings. The potentially visible sprinkler head serves as both the detection and release mechanism. The trigger is usually a metal or plastic component that is in the sprinkler head and melts at a specific temperature.
68
smoke-actuated detection
A fire detection system that detects the fire and triggers the release of the suppression medium when smoke is detected using either photoelectric or radioactive ionization sensors as triggers. Either method monitors for light or radiation obstruction or reduction across an air gap caused by particles in the air. It is intended to be triggered by smoke, but dust and steam can sometimes trigger the alarm.
69
wet pipe system
A fire suppression system that is always full of water. Water discharges immediately when triggered by a fire or smoke. Aka a closed head system.
70
deluge system
Another form of dry pipe (fire suppression) system that uses larger pipes and therefore a significantly larger volume of water. Deluge systems are inappropriate for environments that contain electronics and computers.
71
preaction system
A combination dry pipe/wet pipe system. The system exists as a dry pipe until the initial stages of a fire (smoke, heat, and so on) are detected, and then the pipes are filled with water.
72
dry pipe system
A fire suppression system that contains compressed air. Once suppression is triggered, the air escapes, which opens a water valve that in turn causes the pipes to fill and discharge water into the environment.
73
gas discharge system
A fire suppression system that releases a gas to extinguish the fire.
74
nuisance alarm rate (NAR)
False positives from animals or foliage on Area Perimeter Intrusion Detection Assessment System (PIDAS) fences
75
perimeter intrusion detection and assessment system (PIDAS)
A fence system that has two or three fences used in concert to optimize security. PIDAS fencing is often present around military locations and prisons. Typically, a PIDAS fence has one tall main fence, which may be 8 to 20 feet tall. The main fence may be electrified, may have barbed wire/razor wire elements, and/or can include touch detection technologies. This main fence is then surrounded by an outside fence, which may only be 4 to 6 feet tall. The purpose of this outerfence is to keep animals and casual trespassers from accessing the main fence.
76
access control vestibule
A double set of doors that is often protected by a guard. The purpose is to contain a subject until their identity and authentication are verified. Previously known as a mantrap.
77
bollard
A physical security mechanism designed to prevent vehicles from driving into buildings or other secured areas. See barricades. Aka security bollard.
78
occupant emergency plans (OEP)
A guide that assists with sustaining personnel safety in the wake of a disaster. The OEP provides guidance on how to minimize threats to life, prevent injury, manage duress, handle travel, provide for safety monitoring, and protect property from damage due to a destructive physical event.
79
distributed denial-of-service (DDoS), DDoS attack
A distributed denial of service occurs when the attacker compromises several systems to be used as launching platforms against one or more victims (i.e., a botnet). The compromised systems used in the attack are often called zombies. A DDoS attack results in the victims being flooded with data from numerous sources. See also denial-of-service (DoS) attack, distributed reflective denial of service (DRDoS), and botnet.
80
distributed reflective denial of service (DRDoS), DRDoS attack
DRDoS attacks take advantage of the normal operation mechanisms of key internet services, such as DNS and router update protocols, which are used as an amplification or bounce system. DRDoS attacks function by sending numerous update, session, or control packets to various internet service servers or routers with a spoofed source address of the intended victim. This process causes a “reflection” of the request traffic to potentially be amplified and sent to the spoofed victim’s address. A DRDoS attack can result in so much traffic that upstream systems are adversely affected by the sheer volume of data focused on the victim. See also denial-ofservice (DoS) attack, distributed denial of service (DDoS), and botnet.
81
SYN flood attack
A denial-of-service (DoS) attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established.
82
smurf attack
A type of distributed reflective denial of service (DRDoS). A smurf attack occurs when an amplifying server or network is used to flood a victim with useless ICMP reply packets.
83
ping flood attack
An attack that repeatedly sends ping/ICMP requests to a system. It can come from a single system as a DoS attack but is more often launched against a target by multiple systems in a DDoS attack.
84
on-path attack
An attack in which the hacker takes a position between a client and a server (or other entities) and then tricks the client into establishing a link with the hacker’s computer rather than the intended server. The attacker in turn establishes a link with the server using the client’s stolen credentials. Once established, the attacker can view all traffic between client and server as well as change the content. Previously known as man-in-the middle (MitM).
85
sabotage
A criminal act committed against an organization by a knowledgeable employee.
86
knowledge-based detection
An intrusion discovery mechanism used by intrusion detection systems (IDSs) and based on a database of known attack signatures. The primary drawback to a knowledge-based IDS is that it is effective only against known attack methods. Aka signature-based detection or pattern-matching detection.
87
behavior-based detection, behavioral-based detection
An intrusion discovery mechanism used by IDS. Behavior-based detection finds out about the normal activities and events on your system through watching and learning. Once it has accumulated enough data about normal activity, it can detect abnormal and possible malicious activities and events. Aka statistical intrusion detection, anomaly detection, and heuristics-based detection. See also anomaly-based detection, heuristic-based detection, and signature-based detection.
88
host-based IDS (HIDS)
An intrusion detection system (IDS) that is installed on a single computer and can monitor the activities on that computer. A host-based IDS is able to pinpoint the files and processes compromised or employed by a malicious user to perform unauthorized activity. The alternative is a network-based system.
89
network-based IDS (NIDS), network-based IPS (NIPS)
An intrusion detection system (IDS) or intrusion prevention system (IPS) approach that attaches the system to a point in the network where it can monitor and report on all network traffic.
90
data extraction
The process of extracting elements of data from a large body of data to construct a meaningful representation or summary of the whole. See sampling.
91
sampling
A form of data reduction that allows an auditor to quickly determine the important issues or events from an audit trail. Aka data extraction.
92
clipping level
A threshold value used in violation analysis auditing. Crossing the clipping level triggers the recording of relevant event data to an audit log.
93
traffic analysis
A form of monitoring in which the flow of packets rather than the actual content of packets is examined. Also referred to as trend analysis.
94
Security Orchestration, Automation, Response (SOAR)
A collection of software solutions that can automate the process of collecting and analyzing log and real-time data, evaluate it in light of materials from threat intelligence sources, and then trigger response to low- and mid-level severity issues without the need for human involvement.
95
threat hunting
The activity of security professionals to seek out and identify new threats. A threat hunt is a proactive search through IoCs, log files, or other observables to locate malware or intruders lurking on a system.
96
single point of failure (SPoF)
Any one item, element, or pathway that could cause significant downtime or system failure if broken, offline, or overloaded.
97
system resilience
The ability of a system to maintain an acceptable level of service during an adverse event. It relies on fault-tolerant components and also effective intrusion detection and intrusion prevention systems.
98
fault tolerance
The ability of a system to suffer a fault but continue to operate and/or without losing data. Fault tolerance is achieved by adding redundant components such as additional disks within a redundant array of independent disks (RAID) or additional servers within a failover clustered configuration.
99
disk striping
Technology that enables writing data to multiple disks simultaneously in small portions called stripes. These stripes maximize use by having all the read/write heads working constantly. Different data is stored on each disk and isn’t automatically duplicated; thus, disk striping by itself doesn’t provide fault tolerance. Aka RAID 0.
100
disk mirroring
Technology that keeps identical copies of data on two or more disks to prevent the loss of data if one disk is damaged. Aka RAID 1. A variant is known as duplexing when two different drive controllers are used in addition to two drives. A technology that takes advantage of disk mirroring is a redundant array of independent (or inexpensive) disks (RAID).
101
disk striping with parity
A fault-tolerance solution of writing data across a number of disks and recording the parity on another. In the event any one disk fails, the data on it can be re-created by looking at the remaining data and computing parity to figure out the missing data. Aka RAID 5.
102
Stripe of mirrors
Raid-10 - contains two or more mirrors each configured with stripe
103
fail-open
Describes a system that protects equipment and/or human safety in the event of a system failure. The response of a system to a failure so that it defaults to an “allow” posture.
104
fail securely
A system designed with a specific failure plan, such as fail-soft, fail-safe, failsecure, fail-open, or fail-closed.
105
cold site
A physical site (designated as a recovery location) that has few to none of the resources necessary to enable an organization to use it if the main site is inaccessible, destroyed, or otherwise experiencing a disaster.
106
hot site
A configuration in which a backup facility is maintained in constant working order, with a full complement of servers, workstations, and communications links ready to assume primary operations responsibilities. A location that can provide complete operations support within hours of a failure to minimize or eliminate downtime in the event of a disaster affecting a company’s primary location.
107
warm site
A middle ground between hot sites and cold sites for disaster recovery specialists. A warm site always contains the equipment and data circuits necessary to rapidly establish operations but does not typically contain copies of the client’s data
108
mobile sites
Nonmainstream alternatives to traditional recovery sites that typically consist of self-contained trailers or other easily relocated units
109
mutual assistance agreement (MAA)
An agreement in which two organizations pledge to assist each other in the event of a disaster by sharing computing facilities or other technological resources. Aka reciprocal agreement.
110
electronic vaulting
A storage scenario in which database backups are transferred to a remote site in a bulk transfer fashion. The remote location may be a dedicated alternative recovery site (such as a hot site) or simply an off-site location managed within the company or by a contractor for the purpose of maintaining backup data.
111
remote journaling
Transferring copies of the database transaction logs containing the transactions that occurred since the previous bulk transfer.
112
remote mirroring
Maintaining a live database server at the backup site. It is the most advanced database backup solution.
113
differential backup
A type of backup that copies only new files or files that have changed since the last full backup onto the backup media. Differential backups differ from incremental backups in that they don’t clear the archive bit or change the timestamp on completion.
114
full backup
A complete copy of data contained on the protected device on the backup media. This process also clears the archive bit or changes the timestamp of files upon completion.
115
incremental backup
A type of backup that includes only new files or files that have changed since the last full backup or the last incremental backup. Incremental backups clear the archive bit or change the timestamps of files on completion.
116