Domain 7: Security Operations

Question 1

Alternate Site

Answer 1

A general term for a contingency or continuity of operations (COOP) site used to assume system or organizational operations if the primary site is not usable for period.

Question 2

Backup

Answer 2

A copy of files and programs made to facilitate recovery, if necessary.

Question 3

Baseline

Answer 3

The total inventory of all of a system’s components, including hardware, software, data, administrative controls, documentation, or user instructions.

Question 4

Baselining

Answer 4

Creating a total inventory of a system, component by component, part by part.

Question 5

Blocked Listing and Allowed Listing (software, identities, addresses)

Answer 5

Use of lists of blocked or allowed identities, whether as users, URLs, URIs, web addresses, IP addresses, geographic regions, hardware addresses, files, or programs, as a means of controlling (prohibiting or permitting) their access, use, or attempt to load and execute.

Question 6

Change Management

Answer 6

The formal process an organization uses to transition from the current state to a future state. This typically includes mechanisms to request, evaluate, approve, implement, verify, and learn from the change.

Question 7

Configuration Item

Answer 7

1.- An aggregation of information system components designated for configuration management (CM) and treated as a single entity in the CM process. 2.- Item or aggregation of hardware, software, or both, which is designated for configuration management and treated as a single entity in the CM process.

Question 8

Configuration Management (CM)

Answer 8

A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

Question 9

Cyber Forensics

Answer 9

The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

Question 10

Disaster Recovery (DR)

Answer 10

The ability to provide IT services following an interruption, often at an alternate location.

Question 11

Disruption

Answer 11

An unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network or equipment, or facility damage or destruction).

Question 12

Egress Monitoring

Answer 12

Monitoring the flow of information out of an organization’s control boundaries.

Question 13

Entity

Answer 13

Any form of user, such as a hardware device, software daemon, task, processing thread, or human, that is attempting to use or access systems resources. Endpoint devices, for example, are entities that human (or nonhuman) users make use of in accessing a system. Should be subject to access control and accounting. See also User and Entity Behavior Analysis.

Question 14

Eradication

Answer 14

In incident response, the activities that remove the cause of the incident from the environment. This often requires the use of a formal root cause analysis process.

Question 15

Event

Answer 15

Any observable occurrence in a network or system.

Question 16

False Positive

Answer 16

Incorrectly classifying a benign activity, system state, or configuration as malicious or vulnerable.

Question 17

Forensics, Cyber Forensics

Answer 17

The examination of evidence related to suspected criminal activity. Cyber forensics refers to investigations of such activities involving information systems.

Question 18

Full Backup

Answer 18

Copies the entire system to backup media.

Question 19

Hackback

Answer 19

Actions taken by a victim of hacking to compromise the systems of the alleged attacker.

Question 20

Hardening

Answer 20

A reference to the process of applying secure configurations (to reduce the attack surface) and locking down various hardware, communications systems, and software, including operating system, web server, application server, application. Hardening is normally performed based on industryguidelines and benchmarks such as those provided by the Center for Internet Security (CIS).

Question 21

Honeypots/ Honeynets

Answer 21

Machines that exist on the network, but do not contain sensitive or valuable data; they are meant to distract and occupy malicious attackers or unauthorized intruders, as a means of delaying their attempts to access production data/assets. Several machines of this kind, linked together as a network or subnet, are referred to as a honeynet.

Question 22

Hot Site

Answer 22

A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption.

Question 23

Incident

Answer 23

An event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.

Question 24

Incident Response

Answer 24

The mitigation of violations of security policies and recommended practices.

Question 25

Incident

Answer 25

The event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.

Question 26

Indicator

Answer 26

A technical artifact or observable occurrence that suggests an attack is imminent or is currently underway, or that a compromise may have already occurred.

Question 27

Indicators of Compromise (IoC)

Answer 27

A signal that an intrusion, malware, or other predefined hostile or hazardous set of events is occurring or has occurred.

Question 28

Information Security Continuous Monitoring (ISCM)

Answer 28

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. [Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.] Ongoing monitoring sufficient to ensure and assureeffectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance, and within a reporting structure designed to make real-time, data-driven risk-management decisions.

Question 29

Information Sharing and Analysis Center (ISAC)

Answer 29

Any entity or collaboration created or employed by public- or private-sector organizations, for purposes of gathering and analyzing critical cyber and related information to better understand security problems and interdependencies related to cyber systems, to ensure their availability, integrity, and reliability.

Question 30

Intrusion

Answer 30

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so.

Question 31

Intrusion Detection System (IDS)

Answer 31

A security service that monitors and analyzes network or system events for the purpose of finding and providing real-time or near-real-time warning of attempts to access system resources in an unauthorized manner.

Question 32

Intrusion Prevention Systems (IPS)

Answer 32

A security service that uses available information to determine if an attack is underway; it then sends alerts but also blocks the attack from reaching its intended target.

Question 33

Log

Answer 33

A record of actions and events that have taken place on a computer system.

Question 34

Precursor(s)

Answer 34

Signals from events that suggest a possible change of conditions (internal orexternal to the organization) may alter the current threat landscape. An increase in tensions in local political or social environments, or complaints or grievances by employees or customers going viral in social media, are examples of precursors.

Question 35

Provisioning

Answer 35

Taking a particular configuration baseline, making additional or modified copies of it, then taking steps as necessary to properly place those copies into the environments they should belong in.

Question 36

Ransom Attack

Answer 36

Any form of attack that threatens the destruction, denial, or unauthorized public release or remarketing of private information assets. Usually involves encrypting these assets and withholding the decryption key until the ransom is paid by the victim.

Question 37

Ransomware

Answer 37

Malware used for the purpose of facilitating a ransom attack.

Question 38

Recovery

Answer 38

The process of jointly addressing business resiliency and restoration of critical infrastructure and functionality after a disruption.

Question 39

Regression Testing

Answer 39

Testing of a system to ascertain whether recently approved modifications have changed its performance of other approved functions or has introduced other unauthorized behaviors.

Question 40

Remediation

Answer 40

Changes to a system’s configuration to immediately limit or reduce the chance of recurrence of an incident. This might include updating the sensitivities, thresholds, or alarm settings on any number of security controls, or instituting a rapid reset of access controls information such as passwords and security challenge responses.

Question 41

Request for Change (RFC)

Answer 41

The documentation of a proposed change in support of change management activities.

Question 42

Root Cause Analysis

Answer 42

A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks or incidents.

Question 43

Sandbox

Answer 43

A testing environment that is logically, physically, or virtually isolated fromother environments, and in which applications or systems can be evaluated. Sandboxes can be used as part of development, integration, or acceptance testing (so as to not interact with the production environments), as part of malware screening, or as part of a honeynet.

Question 44

Threat Intelligence

Answer 44

Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Question 45

User and Entity Behavior Analytics (UEBA)

Answer 45

Analysis of behaviors and activities of human and nonhuman users, and of the software and hardware entities associated with those users and activities, as a way of detecting inappropriate or unauthorized activity, including fraud detection, malware, and insider attacks.

Question 46

Vulnerability Management

Answer 46

The activities necessary to identify, assess, prioritize, and remediate information system weaknesses.

Question 47

secure facility plan

Answer 47

A guide that outlines the security needs of your organization and
emphasizes methods or mechanisms to employ to provide security. Such a plan is developed
through risk assessment and critical path analysis.

Question 48

critical path analysis

Answer 48

A systematic effort to identify relationships between mission-critical
applications, processes, and operations and all the necessary supporting elements.

Question 49

technology convergence

Answer 49

The tendency for various technologies, solutions, utilities, and
systems to evolve and merge over time. Often this results in multiple systems performing
similar or redundant tasks or one system taking over the features and abilities of another.
Though in some instances this can result in improved efficiency and cost savings, it can also
represent a single point of failure and become a more valuable target for malicious hackers
and intruders.

Question 50

industrial camouflage

Answer 50

The attempt to mask or hide the actual function, purpose, or operations of a facility by providing a façade presenting a believable or convincing alternative.

Question 51

crime prevention through environmental design (CPTED)

Answer 51

Guidelines that encourage
architects and build-out designers to improve security through building elements. The concept of designing the structure of the physical environment and surroundings to influence
individual decisions that potential offenders make before committing any criminal acts.
This includes taking advantage of natural surveillance, access control, and territorial reinforcements.

Question 52

natural access control

Answer 52

A crime prevention through environmental design (CPTED) concept of the subtle guidance of those entering and leaving a building through placement of
entranceways, use of fences and bollards, and placement of lights.

Question 53

natural surveillance

Answer 53

The crime prevention through environmental design (CPTED)
concept that involves any means to make criminals feel uneasy through the increase of
opportunities for them to be observed. This can be accomplished by an open and obstaclefree outside area, especially around entrances, with clear lines of sight.

Question 54

natural territorial reinforcement

Answer 54

The crime prevention through environmental design
(CPTED) concept where there is an attempt to make the area feel like an inclusive, caring
community. The area should be designed so that it looks cared for and respected and that it is actively being defended.

Question 55

administrative physical security controls

Answer 55

Security controls that include facility
construction and selection, site management, personnel controls, awareness training, and
emergency response and procedures.

Question 56

cable plant management policy

Answer 56

The policy governing the collection of interconnected
cables and intermediary devices (such as cross-connects, patch panels, and switches) that
establish the physical network.

Question 57

transponder proximity device

Answer 57

A mechanism that is self-powered and transmits a signal received by the reader. This can occur consistently or only at the press of a button (like a garage door opener or car alarm key fob). Such devices may have batteries or capacitors, or may even be solar powered.

Question 58

proximity reader

Answer 58

A passive device, field-powered device, or transponder that detects the
presence of authorized personnel and grants them physical entry into a facility. The proximity
device is worn or held by the authorized bearer. When they pass a proximity reader, the
reader is able to determine who the bearer is and whether they have authorized access.

Question 59

proximity device, proximity card

Answer 59

A security device used to manage or control physical
access. It can be a passive device, a field-powered device, or a transponder.

Question 60

passive proximity device

Answer 60

A mechanism that has no active electronics; it is just a small
magnet with specific properties (like antitheft devices commonly found in or on retail product packaging). A passive device reflects or otherwise alters the electromagnetic (EM) field
generated by the reader device. This alteration is detected by the reader device, which triggers
the alarm, records a log event, or sends a notification.

Question 61

sensitive compartmented information facility (SCIF)

Answer 61

A secure or restricted work area
often used by government and military agencies, divisions, and contractors to provide a secure environment for highly sensitive data storage and computation. The purpose of an
SCIF is to store, view, and update sensitive compartmented information (SCI), which is a type of classified information

Question 62

transient noise

Answer 62

A short duration of line noise disturbance.

Question 63

radio frequency interference (RFI), radio-frequency interference

Answer 63

The by-product of
electrical processes, similar to electromagnetic interference (EMI). The major difference is
that RFI is usually projected across a radio spectrum.

Question 64

electromagnetic interference (EMI)

Answer 64

The interference that can occur during transmissions over copper cable due to electromagnetic energy outside the cable. The result is degradation or loss of the signal. A type of electrical noise that can do more than just cause problems with how equipment functions; it can also interfere with the quality of communications, transmissions, and playback.

Question 65

rate-of-rise detection

Answer 65

A fire detection system that detects the fire and triggers the release
of the suppression medium when the speed at which the temperature changes reaches a
specific level or rate. These are often digital temperature measuring devices, which can be
fooled by HVAC heating during winter months and thus are not widely deployed.

Question 66

flame-actuated detection

Answer 66

A fire detection system that detects a fire and triggers the
release of the suppression medium based on the detection of the infrared energy of flames.
This mechanism is fast and reliable but often fairly expensive. Thus, it is often only used in
high-risk environments.

Question 67

fixed-temperature detection

Answer 67

A fire detection system that detects a fire and triggers the release of the suppression medium when a specific temperature is reached. This is the most common type of detector and present in most office buildings. The potentially visible sprinkler head serves as both the detection and release mechanism. The trigger is usually a metal or plastic component that is in the sprinkler head and melts at a specific temperature.

Question 68

smoke-actuated detection

Answer 68

A fire detection system that detects the fire and triggers the release of the suppression medium when smoke is detected using either photoelectric or radioactive ionization sensors as triggers. Either method monitors for light or radiation obstruction or reduction across an air gap caused by particles in the air. It is intended to be triggered by smoke, but dust and steam can sometimes trigger the alarm.

Question 69

wet pipe system

Answer 69

A fire suppression system that is always full of water. Water discharges
immediately when triggered by a fire or smoke. Aka a closed head system.

Question 70

deluge system

Answer 70

Another form of dry pipe (fire suppression) system that uses larger pipes
and therefore a significantly larger volume of water. Deluge systems are inappropriate for
environments that contain electronics and computers.

Question 71

preaction system

Answer 71

A combination dry pipe/wet pipe system. The system exists as a dry pipe until the initial stages of a fire (smoke, heat, and so on) are detected, and then the pipes are filled with water.

Question 72

dry pipe system

Answer 72

A fire suppression system that contains compressed air. Once suppression
is triggered, the air escapes, which opens a water valve that in turn causes the pipes to fill and discharge water into the environment.

Question 73

gas discharge system

Answer 73

A fire suppression system that releases a gas to extinguish the fire.

Question 74

nuisance alarm rate (NAR)

Answer 74

False positives from animals or foliage on Area Perimeter Intrusion Detection Assessment System (PIDAS) fences

Question 75

perimeter intrusion detection and assessment system (PIDAS)

Answer 75

A fence system that has two or three fences used in concert to optimize security. PIDAS fencing is often present around military locations and prisons. Typically, a PIDAS fence has one tall main fence, which may be 8 to 20 feet tall. The main fence may be electrified, may have barbed wire/razor wire elements, and/or can include touch detection technologies. This main fence is then
surrounded by an outside fence, which may only be 4 to 6 feet tall. The purpose of this outerfence is to keep animals and casual trespassers from accessing the main fence.

Question 76

access control vestibule

Answer 76

A double set of doors that is often protected by a guard. The
purpose is to contain a subject until their identity and authentication are verified. Previously
known as a mantrap.

Question 77

bollard

Answer 77

A physical security mechanism designed to prevent vehicles from driving into buildings or other secured areas. See barricades. Aka security bollard.

Question 78

occupant emergency plans (OEP)

Answer 78

A guide that assists with sustaining personnel safety in the wake of a disaster. The OEP provides guidance on how to minimize threats to life, prevent injury, manage duress, handle travel, provide for safety monitoring, and protect property from damage due to a destructive physical event.