Domain 7 Security Operations Flashcards

Question 1

Q

The major objective of system configuration management is which of the following?

Answer

A

system stability.

Question 2

Q

When RAID runs as part of the operating system on the file server, it is an example of a:

Answer

A

software implementation.

Question 3

Q

Which of the following is NOT a common backup method?

Answer

A

Daily backup method
A daily backup is not a backup method, but defines periodicity at which backups are made. There can be daily full, incremental or differential backups.

Question 4

Q

Which backup method only copies files that have been recently added or changed and also leaves the archive bit unchanged?

Answer

A

Differential backup method

Question 5

Q

Which of the following Operation Security control is intended to prevent unauthorized intruders from internally or externally accessing systems. Such a control reduces the amount and impact of unintentional errors that are entering the system?

Answer

A

Preventative Controls

Question 6

Q

Which of the following terms BEST describes a network of computers, virtualized or real that mimics a real organization’s network that is designed to delay and log attackers’ activity while the organization’s real network is safely elsewhere?

Answer

A

Honeynet

A Honeypot is similar to a honeynet in that it’s a fake system designed to distract attackers and log intruder activities to learn of new attack styles. A Honeynet is usually a collection of Honeypots.

Question 7

Q

RAID, Redundant Array of Inexpensive Disks, is very commonly implemented.Which of the following is an INCORRECT statement about RAID?

Answer

A

RAID level 0 is stripping and not mirroring.

Question 8

Q

This functional group plans, operates and maintains business emergency planning programs for the organization. Setting strategic direction and training are key duties of this group.

Answer

A

Contingency Planning Group

Question 9

Q

Which of the following level in Capability Maturity Model Integration (CMMI) model focuses on process definition and process deployment?

Answer

A

Level 3

Level 1 - Initial (Chaotic)
It is characteristic of processes at this level that they are (typically) undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes.

Level 2 - Repeatable
It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.

Level 3 - Defined
It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization.

Level 4 - Managed
It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development ). In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level.

Level 5 - Optimizing
It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements.

Question 10

Q

This alternate site strategy is employed for applications that cannot accept any downtime without negatively impacting the organization. The applications are split between two geographically dispersed data centers and either load balanced between the two centers or hot swapped between the two centers. What is the name of this approach?

Answer

A

Dual data center

Question 11

Q

This type of RAID implementation uses its own Central Processing Unit (CPU) for calculations on an intelligent controller card by:

Answer

A

hardware implementation.

Question 12

Q

Which of the following answers BEST describes software on a user’s computer that inspects and controls inbound and outbound traffic and protects it from attack.

Answer

A

Host-Based Firewall

Question 13

Q

Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?

Answer

A

System and information owners

Question 14

Q

When should a post-mortem review meeting be held after an intrusion has been properly taken care of?

Answer

A

Within the first week of completing the investigation of the intrusion.

Question 15

Q

In the context of network enumeration by an outside attacker and possible Distributed Denial of Service (DDoS) attacks, which of the following firewall rules is not appropriate to protect an organization’s internal network?

Answer

A

Allow echo reply outbound

Echo replies outbound should be dropped, not allowed. There is no reason for any internet users to send ICMP ECHO Request to your interal hosts from the internet. If they wish to find out if a service is available, they can use a browser to connect to your web server or simply send an email if they wish to test your mail service.

Echo replies outbound could be used as part of the SMURF amplification attack where someone will send ICMP echo requests to gateways broadcast addresses in order to amplify the request by X number of users sitting behind the gateway.

Question 16

Q

Which are the two primary types of scanner used for protecting against Malware?

Answer

A

Malware mask/signatures and Heuristic Scanner

Question 17

Q

Business Continuity Plan (BCP)—

Answer

A

a long-term plan to ensure the continuity of business operations

Question 18

Q

Continuity of Operations Plan (COOP)—

Answer

A

a plan to maintain operations during a disaster.

Question 19

Q

Disaster—

Answer

A

any disruptive event that interrupts normal system operations

Question 20

Q

Disaster Recovery Plan (DRP)—

Answer

A

a short-term plan to recover from a disruptive event

Question 21

Q

Mean Time Between Failures (MTBF)—

Answer

A

quantifies how long a new or repaired system will run on average before failing

Question 22

Q

Mean Time to Repair (MTTR)—

Answer

A

describes how long it will take to recover a failed system

Question 23

Q

Mirroring—

Answer

A

Complete duplication of data to another disk, used by some levels of RAID.

Question 24

Q

Redundant Array of Inexpensive Disks (RAID)—

Answer

A

A method of using multiple disk drives to achieve greater data reliability, greater speed, or both

Question 25

Q

Striping—

Answer

A

Spreading data writes across multiple disks to achieve performance gains, used by some levels of RAID

Question 26

Q

current forensic approach

Answer

A

favors some degree of live forensics that includes taking a bit by bit, or binary image of physical memory, gathering details about running processes, and gathering network connection data.

Question 27

Q

The general phases of the forensic process are:

Answer

A

the identification of potential evidence;
the acquisition of that evidence;
analysis of the evidence;
and production of a report.

Question 28

Q

four basic types of disk-based forensic data:

Answer

A

Allocated space— portions of a disk partition that are marked as actively containing data. •

Unallocated space— portions of a disk partition that do not contain active data. This includes portions that have never been allocated, and previously allocated portions that have been marked unallocated. If a file is deleted, the portions of the disk that held the deleted file are marked as unallocated and made available for use.

Slack space— data is stored in specific size chunks known as clusters (clusters are sometimes also referred to as sectors or blocks). A cluster is the minimum size that can be allocated by a file system. If a particular file, or final portion of a file, does not require the use of the entire cluster then some extra space will exist within the cluster. This leftover space is known as slack space: it may contain old data, or can be used intentionally by attackers to hide information.

“Bad” blocks/ clusters/ sectors— hard disks routinely end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will be ignored by the operating system since no data could be read in those defective portions. Attackers could intentionally mark sectors or clusters as being bad in order to hide data within this portion of the disk.

Question 29

Q

Network Forensics

Answer

A

With network forensics, the entire contents of e-mails, IM conversations, Web surfing activities, and file transfers can be recovered from network equipment and reconstructed to reveal the original transaction.

Question 30

Q

ESI

Answer

A

Electronically Stored Information

Question 31

Q

NIST Incident response lifecycle in 4 steps:

Answer

A

Preparation
Detection and Analysis
Containment, Eradication and Recovery
Post-incident Activity

Question 32

Q

CISSP Exam IR lifecycle 8 steps:

Answer

A

Preparation
Detection (aka Identification)
Response (aka Containment)
Mitigation (aka Eradication)
Reporting
Recovery
Remediation
Lessons Learned

Question 33

Q

There are four types of IDS events:

Answer

A

true positive,
true negative,
false positive,
false negative.

Question 34

Q

Network-based Intrusion Detection System (NIDS)

Answer

A

detects malicious traffic on a network. NIDS usually require promiscuous network access in order to analyze all traffic, including all unicast traffic. NIDS are passive devices that do not interfere with the traffic they monitor;

Question 35

Q

Host-based Intrusion Detection Systems (HIDS) and Host-based Intrusion Prevention Systems (HIPS)

Answer

A

process information within the host. They may process network traffic as it enters the host, but the exam’s focus is usually on files and processes.
ie: Tripwire protects system integrity by detecting changes to critical operating system files. Changes are detected through a variety of methods, including comparison of cryptographic hashes.

Question 36

Q

Hanlon’s Razor, a maxim that reads: “Never attribute to malice that which is adequately explained by stupidity.”

Answer

A

All Information Security Professionals should understand Hanlon’s Razor. There is plenty of malice in our world: worms, phishing attacks, identity theft, etc. But there is more brokenness and stupidity: most disasters are caused by user error.

Question 37

Q

Pattern Matching IDS

Answer

A

Discovers known attacks only by pattern recognition. Will not alert on zero day attacks

Question 38

Q

Protocol Behavior IDS

Answer

A

Monitors protocol (ie: TCP) behavior

Question 39

Q

Anomaly Detection IDS

Answer

A

works by establishing a baseline of normal traffic. The Anomaly Detection IDS then ignores that traffic, reporting on traffic that fails to meet the baseline.

Question 40

Q

Endpoint protection features

Answer

A

antivirus, application whitelisting, removable media controls, disk encryption, Host Intrusion Prevention Systems, and desktop firewalls.

Question 41

Q

honeywall

Answer

A

(honeynet firewall) that is intended to limit the likelihood of the honeynet being used to attack other systems.

Question 42

Q

The three basic types of backups are:

Answer

A

full backup, incremental backup and differential backup.

Question 43

Q

Full Backup

Answer

A

The full backup is the easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Full backups contain all of the allocated data on the hard disk,

Question 44

Q

Incremental backups

Answer

A

Incremental backups only archive files that have changed since the last backup of any kind was performed. Since fewer files are backed up, the time to perform the incremental backup is greatly reduced.

if a data or disk failure occurs and there is a need for recovery, then the most recent full backup and each and every incremental backup since the full backup is required to initiate a recovery.

Question 45

Q

Differential backup

Answer

A

differential method will back up any files that have been changed since the last full backup.

if a data or disk failure occurs and there is a need for recovery, then only the most recent full backup and most recent differential backup are required to initiate a full recovery.

Question 46

Q

Archive Bits

Answer

A

file systems, such as Microsoft’s NTFS, support the archive bit. This bit is a file attribute used to determine whether a file has been archived since last modification.

As files are modified, the associated archive bits are set to 1 (indicating the file has changed, and needs to be archived). An incremental backup will archive each modified file and reset the archive bit to 0.

Question 47

Q

RAID - Redundant Array of Inexpensive Disks

Answer

A

RAID Level Description
RAID 0 Striped Set
RAID 1 Mirrored Set
RAID 3 Byte Level Striping with Dedicated Parity
RAID 4 Block Level Striping with Dedicated Parity
RAID 5 Block Level Striping with Distributed Parity
RAID 6 Block Level Striping with Double Distributed Parity

Question 48

Q

Three critical RAID terms are:

Answer

A

mirroring,
striping and
parity.

Question 49

Q

Mirroring

Answer

A

used to achieve full data redundancy by writing the same data to multiple hard disks. Since mirrored data must be written to multiple disks the write times are slower (though caching by the RAID controller may mitigate this).

Question 50

Q

Striping

Answer

A

Striping is a RAID concept that is focused on increasing the read and write performance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk. This parallelization provides a performance increase, but does not aid in data redundancy.

Question 51

Q

Parity

Answer

A

Parity is a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.

Question 52

Q

RAID 0 – Striped Set

Answer

A

RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID.

Question 53

Q

RAID 1 – Mirrored Set

Answer

A

RAID 1 creates/ writes an exact duplicate of all data
to an additional disk. The write performance is decreased, though the read performance can see an increase. Disk cost is one of the most troubling aspects of this level of RAID, as at least half of all disks are dedicated to redundancy.

Question 54

Q

RAID 2 - Hamming Code

Answer

A

RAID 2 is not considered commercially viable for hard disks and is not used. This level of RAID would require either 14 or 39 hard disks and a specially designed hardware controller, which makes RAID 2 incredibly cost prohibitive.

Question 55

Q

RAID 3 – Striped Set with Dedicated Parity (Byte Level)

Answer

A

With RAID 3, data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.

Question 56

Q

RAID 4 – Striped Set with Dedicated Parity (Block Level)

Answer

A

RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level. Like RAID 3, RAID 4 employs a dedicated parity drive.

Question 57

Q

RAID 5 – Striped Set with Distributed Parity

Answer

A

Most popular
RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages block level striping. Like RAIDs 3 and 4, RAID 5 writes parity information that is used for recovery purposes. However, unlike RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 distributes the parity information across multiple disks. One of the reasons for RAID 5’ s popularity is that the disk cost for redundancy is lower than that of a Mirrored set. Another important reason for this level’s popularity is the support for both hardware and software based implementations, which significantly reduces the barrier to entry for RAID configurations. RAID 5 allows for data recovery in the event that any one disk fails.

Question 58

Q

RAID 6 – Striped Set with Dual Distributed Parity

Answer

A

While RAID 5 accommodates the loss of any one drive in the array, RAID 6 can allow for the failure of two drives and still function. This redundancy is achieved by writing the same parity information to two different disks.

Question 59

Q

RAID 1 + 0 or RAID 10

Answer

A

RAID 1 + 0 or RAID 10 is an example of what is known as nested RAID or multi-RAID, which simply means that one standard RAID level is encapsulated within another. With RAID 10, which is also commonly written as RAID 1 + 0 to explicitly indicate the nesting, the configuration is that of a striped set of mirrors.

Raid 10 or 1+ 0 : Is implemented as a striped array whose segments are RAID 1 arrays. RAID 10 has the same fault tolerance as RAID level 1. High I/O rates are achieved by striping RAID 1 segments. Under certain circumstances, RAID 10 array can sustain multiple simultaneous drive failures. This is an excellent solution for sites that would have otherwise gone with RAID 1 but need some additional performance boost.

Question 60

Q

High Availability Cluster (HA)

Answer

A

A high-availability cluster employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly leveraged to maintain the availability of the service or application being provided.

The primary implementation consideration for high-availability clusters is whether each node of a HA cluster is actively processing data in advance of a failure. This is known as an active-active configuration, and is commonly referred to as load balancing.

Question 61

Q

Business Continuity Planning (BCP)

Answer

A

The overarching goal of a BCP is for ensuring that the business will continue to operate before, throughout, and after a disaster event is experienced. The focus of a BCP is on the business as a whole, and ensuring that those critical services that the business provides or critical functions that the business regularly performs can still be carried out both in the wake of a disruption as well as after the disruption has been weathered.

Business Continuity Planning provides a long-term strategy for ensuring the continued successful operation of an organization in spite of inevitable disruptive events and disasters.

Question 62

Q

Disaster Recovery Planning (DRP)

Answer

A

Disaster Recovery Plan is more tactical in its approach. The DRP provides a short-term plan for dealing with specific disruptions. Mitigating a malware infection that shows risk of spreading to other systems is an example of a specific IT-oriented disruption that a DRP would address. The DRP focuses on efficiently attempting to mitigate the impact of a disaster and the immediate response and recovery of critical IT systems in the face of a significant disruptive event. Disaster Recovery Planning is considered tactical rather than strategic and provides a means for immediate response to disasters. The DRP does not focus on long-term business impact in the same fashion that a BCP does.

Question 63

Q

Relationship between BCP and DRP

Answer

A

The Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the Disaster Recovery Plan.

The Business Continuity Plan attends to ensuring that the business is viable before, during, and after significant disruptive events. This continued viability would not be possible without being able to quickly recover critical systems, which is fundamentally what a Disaster Recovery Plan provides.

One means of distinguishing Business Continuity Plan from the Disaster Recovery Plan is realizing that the BCP is concerned with the business-critical function or service provided as opposed to the systems that might typically allow that function to be performed.

Question 64

Q

The three common ways of categorizing the causes for disasters

Answer

A

are the threat agents
natural,
human, or
environmental in nature.

Answer 65

A

The most obvious type of threat that can result in a disaster are naturally occurring. This category includes threats such as earthquakes, hurricanes, tornadoes, floods, and some types of fires.

Answer 66

A

Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, social engineering, etc. Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness served as a source of disruption.

Answer 67

A

In this case environmental has little to do with the weather (which would be considered a natural threat) and is focused on environment as it pertains to the information systems or datacenter. The threat of disruption to the computing environment is significant. This class of threat includes items such as power issues (blackout, brownout, surge, spike), system component or other equipment failures, and application or software flaws.

Answer 68

A

Errors and omissions are typically considered the single most common source of disruptive events. Humans, often employed by the organization, unintentionally cause this type of threat. Data entry mistakes are an example of errors and omissions. These mistakes can be costly to an organization, and might require manual review prior to being put into production, which would be an example of separation of duties.

Answer 69

A

The general process of disaster recovery involves responding to the disruption;
activation of the recovery team;
ongoing tactical communication of the status of disaster and its associated recovery;
further assessment of the damage caused by the disruptive event; and
recovery of critical assets and processes in a manner consistent with the extent of the disaster.

Answer 70

A

Project Initiation
Scope the Project
Business Impact Analysis
Identify Preventive Controls
Recovery Strategy
Plan Design and Development
Implementation, Training, and Testing
BCP/ DRP Maintenance [15]

Answer 71

A

The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user.

The primary goal of the BIA is to determine the Maximum Tolerable Downtime (MTD) for a specific IT asset.

Answer 72

A

BCP/ DRP project manager is the key Point of Contact (POC) for ensuring that a BCP/ DRP is not only completed, but also routinely tested.

Answer 73

A

Before identification of the BCP/ DRP personnel can take place, the Continuity Planning Project Team (CPPT) must be assembled. The CPPT is comprised of stakeholders within an organization and focuses on identifying who would need to play a role if a specific emergency event

This includes people from the human resources section, public relations (PR), IT staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions.

Answer 74

A

Scoping means to define exactly what assets are protected by the plan, which emergency events this plan will be able to address, and finally determining the resources necessary to completely create and implement the plan.

Answer 75

A

Conduct Business Impact Analysis (BIA) The Business Impact Analysis (BIA) is the formal method for determining how a disruption to the IT system( s) of an organization will impact the organization’s requirements, processes, and interdependencies with respect the business mission. [19] It is an analysis to identify and prioritize critical IT systems and components.

The primary goal of the BIA is to determine the Maximum Tolerable Downtime (MTD) for a specific IT asset.

Answer 76

A

First, identification of critical assets must occur.

Second, a comprehensive risk assessment is conducted.

Answer 77

A

The BCP/ DRP-focused risk assessment determines what risks are inherent to which IT assets. A vulnerability analysis is also conducted for each IT system and major application. This is done because most traditional BCP/ DRP evaluations focus on physical security threats, both natural and human.

Answer 78

A

describes the total time a system can be inoperable before an organization is severely impacted.

It is the maximum time it takes to execute the reconstitution phase. Reconstitution is the process of moving an organization from the disaster recovery to business operations.

Maximum Tolerable Downtime is comprised of two metrics: the Recovery Time Objective (RTO), and the Work Recovery Time (WRT) (see below).

Answer 79

A

Recovery Point Objective (RPO) is the amount of data loss or system inaccessibility (measured in time) that an organization can withstand. “If you perform weekly backups, someone made a decision that your company could tolerate the loss of a week’s worth of data.

The RPO represents the maximum acceptable amount of data/ work loss for a given process because of a disaster or disruptive event.

Answer 80

A

Recovery Time Objective (RTO) describes the maximum time allowed to recover business or IT systems. RTO is also called the systems recovery time. This is one part of Maximum Tolerable Downtime: once the system is physically running, it must be configured.

Answer 81

A

Work Recovery Time (WRT) describes the time required to configure a recovered system. “Downtime consists of two elements, the systems recovery time and the work recovery time. Therefore, MTD = RTO + WRT.”

Answer 82

A

Mean Time Between Failures (MTBF) quantifies how long a new or repaired system will run before failing.

Answer 83

A

The Mean Time to Repair (MTTR) describes how long it will take to recover a specific failed system.
.

Answer 84

A

Minimum Operating Requirements (MOR) describe the minimum environmental and connectivity requirements in order to operate computer equipment.

Answer 85

A

redundant site is an exact production duplicate of a system that has the capability to seamlessly operate all necessary IT operations without loss of services to the end user of the system. A redundant site receives data backups in real time so that in the event of a disaster, the users of the system have no loss of data. It is a building configured exactly like the primary site and is the most expensive recovery option because it effectively more than doubles the cost of IT operations.

Answer 86

A

hot site is a location that an organization may relocate to following a major disruption or disaster. It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers. The hot site will have all necessary hardware and critical applications data mirrored in real time.
A hot site will have the capability to allow the organization to resume critical operations within a very short period of time— sometimes in less than an hour.

Answer 87

A

warm site has some aspects of a hot site; for example, readily accessible hardware and connectivity, but it will have to rely upon backup data in order to reconstitute a system after a disruption. It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers.

These organizations will have to be able to withstand an MTD of at least 1– 3 days in order to consider a warm site solution.

Answer 88

A

cold site is the least expensive recovery
solution to implement. It does not include backup copies of data, nor does it contain any immediately available hardware. After a disruptive event, a cold site will take the longest amount of time of all recovery solutions to implement and restore critical IT services for the organization. Especially in a disaster area, it could take weeks to get vendor hardware shipments in place so organizations using a cold site recovery solution will have to be able to withstand a significantly long MTD— usually measured in weeks, not days. A cold site is typically a datacenter with a raised floor, power, utilities, and physical security,

Answer 89

A

Mobile sites are “datacenters on wheels”: towable trailers that contain racks of computer equipment, as well as HVAC, fire suppression and physical security. They are a good fit for disasters such as a datacenter flood, where the datacenter is damaged but the rest of the facility and surrounding property are intact. They may be towed onsite, supplied power and network, and brought online.

Answer 90

A

Continuity of Operations Plan (COOP) describes the procedures required to maintain operations during a disaster. This includes transfer of personnel to an alternate disaster recovery site, and operations of that site.

Answer 91

A

Business Recovery Plan (also known as the Business Resumption Plan) details the steps required to restore normal business operations after recovering from a disruptive event. This may include switching operations from an alternate site back to a (repaired) primary site. The Business Recovery Plan picks up when the COOP is complete.

Answer 92

A

Continuity of Support Plan focuses narrowly on support of specific IT systems and applications. It is also called the IT Contingency Plan, emphasizing IT over general business support.
.

Answer 93

A

Occupant Emergency Plan (OEP) provides the “response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property.

Answer 94

A

Crisis Management Plan (CMP) is designed to provide effective coordination among the managers of the organization in the event of an emergency or disruptive event. The CMP details the actions management must take to ensure that life and safety of personnel and property are immediately protected in case of a disaster.

Answer 95

A

Crisis Communications Plan (sometimes simply called the communications plan): a plan for communicating to staff and the public in the event of a disruptive event. Instructions for notifying the affected members of the organization are an integral part to any BCP/ DRP.

Answer 96

A

Call Tree, which is used to quickly communicate news throughout an organization without overburdening any specific person. The call tree works by assigning each employee a small number of other employees they are responsible for calling in an emergency

Answer 97

A

Vital records should be stored offsite, at a location and in a format that will allow access during a disaster. It is best practice to have both electronic and hardcopy versions of all vital records. Vital records include contact information for all critical staff. Additional vital records include licensing information, support contracts, service level agreements, reciprocal agreements, telecom circuit IDs, etc.

Answer 98

A

FIFO (First In First Out).

Grandfather-Father-Son (GFS) addresses this problem. There are 3 sets of tapes: 7 daily tapes (the son), 4 weekly tapes (the father), and 12 monthly tapes (the grandfather). Once per week a son tape graduates to father. Once every 5 weeks a father tape graduates to grandfather. After running for a year this method ensures there are backup tapes available for the past 7 days, weekly tapes for the past 4 weeks, and monthly tapes for the past 12 months.

Answer 99

A

Electronic vaulting is the batch process of electronically transmitting data that is to be backed up on a routine, regularly scheduled time interval. It is used to transfer bulk information to an offsite facility.

Electronic Vaulting is a good tool for data that need to be backed up on a daily or possibly even hourly rate. It solves two problems at the same time. It stores sensitive data offsite and it can perform the backup at very short intervals to ensure that the most recent data is backed up.

Answer 100

A

Remote Journaling saves the database checkpoints and database journal to a remote site. In the event of failure at the primary site, the database may be recovered.

Note: A database journal contains a log of all database transactions.

Answer 101

A

Database shadowing uses two or more identical databases that are updated simultaneously. The shadow database( s) can exist locally, but it is best practice to host one shadow database offsite.

Answer 102

A

Active-active cluster involves multiple systems all of which are online and actively processing traffic or data. This configuration is also commonly referred to as load balancing, and is especially common with public facing systems such as Web server farms.

Answer 103

A

Active-passive cluster involves devices or systems that are already in place, configured, powered on, and ready to begin processing network traffic should a failure occur on the primary system. Active-passive clusters are often designed such that any configuration changes made on the primary system or device are replicated to the standby system. Also, to expedite the recovery of the service, many failover cluster devices will automatically, with no required user interaction,

Answer 104

A

software escrow. Should the development organization go out of business or otherwise violate the terms of the software escrow agreement, the third party holding the escrow will provide the source code and any other information to the purchasing organization.

Answer 105

A

Testing should be performed on an annual basis

Answer 106

A

A simulation test, also called a walkthrough drill (not to be confused with the discussion-based structured walkthrough), goes beyond talking about the process and actually has teams to carry out the recovery process. A pretend disaster is simulated to which the team must respond as they are directed to by the DRP.

Answer 107

A

DRP Review
Read-Through/ Checklist/ Consistency
Structured Walkthrough/ Tabletop
Simulation Test/ Walkthrough Drill
Parallel Processing
Partial Interruption
Complete Business Interruption

Answer 108

A

Common BCP/ DRP mistakes include:
• Lack of management support
• Lack of business unit involvement
• Lack of prioritization among critical staff
• Improper (often overly narrow) scope
• Inadequate telecommunications management
• Inadequate supply chain management
• Incomplete or inadequate crisis management plan
• Lack of testing
• Lack of training and awareness
• Failure to keep the BCP/ DRP plan up to date

Answer 109

A

Safety of personnel

Answer 110

A

Tabletop Exercise

Answer 111

A

Differential

Answer 112

A

Differential backup

Answer 113

A

BCP is an overarching “umbrella” plan that includes other focused plans such as DRP

Answer 114

A

Active-active cluster

Answer 115

A

Crisis Management Plan

Answer 116

A

Business Resumption Planning (BRP)

Answer 117

A

The Mean Time to Repair (MTTR)

Answer 118

A

Recovery Point Objective (RPO)

Answer 119

A

Recovery Time Objective (RTO) and Work Recovery Time (WRT)

Answer 120

A

Arrange a secure, remote storage facility.

Answer 121

A

Trusted Media

Answer 122

A

warm site.

Answer 123

A

Discretionary expense.

Answer 124

A

Because normal patterns of user and system behavior can vary wildly.

Answer 125

A

DAM - Database Activity Monitoring

Answer 126

A

EOC – Emergency Operations Center

Answer 127

A

The least critical functions should be moved back first

Answer 128

A

An organization that coordinates and supports the response to security incidents.

Answer 129

A

Investigation

Answer 130

A

Detect Zero day attack

Intrusion Detection System are somewhat limited in scope, they do not address the following:

Weakness in the policy definition
Application-level vulnerability
Backdoor within application
Weakness in identification and authentication schemes

Answer 131

A

clipping level

Answer 132

A

Are integrity verification programs used by applications to look for evidences of data tampering, errors, and omissions?

Answer 133

A

Design Reliability

Fault tolerance countermeasures are designed to combat threats to design reliability. Tolerance and Reliability are almost synonymous, this was a good indication of the best choice. Reliability tools are tools such as fail over mechanism, load balancer, clustering tools, etc…None of the other answer would improve reliability.

Answer 134

A

BIOS Password

A BIOS password is resident on the motherboard software and is difficult to bypass for most users, although not impossible. Most users aren’t savvy enough to figure it out and it can be a beneficial part of a defense in depth strategy.

Answer 135

A

Initial, Managed, Defined, Quantitatively Managed, Optimizing

Answer 136

A

Money and Securities

Answer 137

A

Hierarchical Storage Management (HSM).

Answer 138

A

RAID level 0

RAID level 0 creates one large disk by using several disks, in a process call striping.

It stripes data across all disks, improving performance, but provides no redundancy and lessens fault tolerance by making the entire data volume unusable should one of the disks fail.

Answer 139

A

RAID level 1

RAID 1 (Mirroring) is usually used to create Server Fault Tolerance

Redundant server implementations take the concept of RAID 1 (mirroring) and applies it to a pair of servers to provide server fault tolerance. Each of the two servers have 100% of the data and the data is maintained in synch all the time.

Answer 140

A

Incremental backup method

Answer 141

A

Data Owner
Treating information as an asset requires a number of roles and distinctions to be clearly identified and defined.

Data custodians are responsible for the safe custody, transport, data storage, and implementation of business rules.

Answer 142

A

Incremental backup method.

Answer 143

A

AAA Business functions

The AAA business functions are the most critical business functions. They have to be immediately recovered in order to avoid impacting the company.

Answer 144

A

Data Analyst Accounts

The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it.

Answer 145

A

Deterrence

Answer 146

A

System development activity

Answer 147

A

Clipping levels set a baseline for acceptable normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred.

Answer 148

A

trustworthy interfaces into priviledged user functions.

Answer 149

A

Review of security controls

Answer 150

A

It is unlikely to be affected by the same disaster.

Answer 151

A

on-site mirroring.

The keyword in this case is LEAST. You need choose an option which is the least efficient when it comes to transaction redundancy. On site mirror is great but if you have a disaster or catastrophe that would not allow you to continue processing. All of the other choices are better as they offer a remote site onto which you can recover and continue processing transactions.

Answer 152

A

Circumstantial evidence

Answer 153

A

They are vulnerable to non-adversarial disturbances.

Answer 154

A

The best answer is: Design Reliability

Fault tolerance countermeasures are designed to combat threats to design reliability. Tolerance and Reliability are almost synonymous, this was a good indication of the best choice. Reliability tools are tools such as fail over mechanism, load balancer, clustering tools, etc…

None of the other answer would improve reliability.

Answer 155

A

differential backup method.

Incremental

When you schedule an incremental backup, you are in essence instructing the software to only backup files that have been changed, or files that have their flag up. After the incremental backup of that file has occured, that flag will go back down. If you perform a normal backup on Monday, then an incremental backup on Wednesday, the only files that will be backed up are those that have changed since Monday. If on Thursday someone deletes a file by accident, in order to get it back you will have to restore the full backup from Monday, followed by the Incremental backup from Wednesday.

Differential

Differential backups are similar to incremental backups in that they only backup files with their archive bit, or flag, up. However, when a differential backup occurs it does not reset those archive bits which means, if the following day, another differential backup occurs, it will back up that file again regardless of whether that file has been changed or not.

Answer 156

A

A. Scanners Look for sequences of bit called signature that are typical malware programs.
The two primary types of scanner are

Malware mask or Signatures – Anti-malware scanners check files, sectors and system memory for known and new (unknown to scanner) malware, on the basis of malware malware masks or signatures. Malware masks or signature are specific code strings that are recognized as belonging to malware. For polymorphic malware, the scanner sometimes has algorithms that check for all possible combinations of a signature that could exist in an infected file.
Heuristic Scanner – Analyzes the instructions in the code being scanned and decide on the basis of statistical probabilities whether it could contain malicious code. Heuristic scanning result could indicate that malware may be present, that is possibly infected. Heuristic scanner tend to generate a high level false positive errors ( they indicate that malware may be present when, in fact, no malware is present)
Scanner examines memory disk- boot sector, executables, data files, and command files for bit pattern that match a known malware. Scanners, therefore, need to be updated periodically to remain effective.

B. Immunizers – Defend against malware by appending sections of themselves to files – sometime in the same way Malware append themselves. Immunizers continuously check a file for changes and report changes as possible malware behavior. Other type of Immunizers are focused to a specific malware and work by giving the malware the impression that the malware has already infected to the computer. This method is not always practical since it is not possible to immunize file against all known malware.

C. Behavior Blocker - Focus on detecting potential abnormal behavior such as writing to the boot sector or the master boot record, or making changes to executable files. Blockers can potentially detect malware at an early stage. Most hardware based anti-malware mechanism are based on this concept.

D. Integrity CRC checker - Compute a binary number on a known malware free program that is then stored in a database file. The number is called Cyclic Redundancy Check (CRC). On subsequent scans, when that program is called to execute, it checks for changes to the file as compare to the database and report possible infection if changes have occurred. A match means no infection; a mismatch means change in the program has occurred. A change in the program could mean malware within it. These scanners are effective in detecting infection; however they can do so only after infection has occurred. Also, a CRC checker can only detect subsequent changes to files, because they assume files are malware free in the first place. Therefore, they are ineffective against new files that are malware infected and that are not recorded in the database. Integrity checker take advantage of the fact that executable programs and boot sectors do not change often, if at all.

E. Active Monitors – Active monitors interpret DOS and read-only memory (ROM) BIOS calls, looking for malware like actions. Active monitors can be problematic because they can not distinguish between a user request and a program or a malware request. As a result, users are asked to confirm actions, including formatting a disk or deleting a file or set of files.

Answer 157

A

After appropriate testing

Answer 158

A

Log Management Systems

Answer 159

A

SYN flood attacks disrupt the TCP handshake and would be characterized by a large number of SYN packets. Fraggle attacks use UDP packets, not ICMP packets.

Ping flood attacks do use ICMP, but they flood the victim with ICMP Echo Requests, not ICMP Echo Replies.

Answer 160

A

Darknet

A Darknet is a segment of unused network address space that should have not network activity and may be used to monitor illicit activity

Answer 161

A

Grandfather/Father/Son
Tower of Hanoi
Six Cartridge Weekly

Brainscape's Knowledge GenomeTM

Domain 7 Security Operations Flashcards

Brainscape's Knowledge Genome^TM