Domain 7 Security Operations Flashcards
The major objective of system configuration management is which of the following?
system stability.
When RAID runs as part of the operating system on the file server, it is an example of a:
software implementation.
Which of the following is NOT a common backup method?
Daily backup method
A daily backup is not a backup method, but defines periodicity at which backups are made. There can be daily full, incremental or differential backups.
Which backup method only copies files that have been recently added or changed and also leaves the archive bit unchanged?
Differential backup method
Which of the following Operation Security control is intended to prevent unauthorized intruders from internally or externally accessing systems. Such a control reduces the amount and impact of unintentional errors that are entering the system?
Preventative Controls
Which of the following terms BEST describes a network of computers, virtualized or real that mimics a real organization’s network that is designed to delay and log attackers’ activity while the organization’s real network is safely elsewhere?
Honeynet
A Honeypot is similar to a honeynet in that it’s a fake system designed to distract attackers and log intruder activities to learn of new attack styles. A Honeynet is usually a collection of Honeypots.
RAID, Redundant Array of Inexpensive Disks, is very commonly implemented.Which of the following is an INCORRECT statement about RAID?
RAID level 0 is stripping and not mirroring.
This functional group plans, operates and maintains business emergency planning programs for the organization. Setting strategic direction and training are key duties of this group.
Contingency Planning Group
Which of the following level in Capability Maturity Model Integration (CMMI) model focuses on process definition and process deployment?
Level 3
Level 1 - Initial (Chaotic)
It is characteristic of processes at this level that they are (typically) undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes.
Level 2 - Repeatable
It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Level 3 - Defined
It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization.
Level 4 - Managed
It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development ). In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level.
Level 5 - Optimizing
It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements.
This alternate site strategy is employed for applications that cannot accept any downtime without negatively impacting the organization. The applications are split between two geographically dispersed data centers and either load balanced between the two centers or hot swapped between the two centers. What is the name of this approach?
Dual data center
This type of RAID implementation uses its own Central Processing Unit (CPU) for calculations on an intelligent controller card by:
hardware implementation.
Which of the following answers BEST describes software on a user’s computer that inspects and controls inbound and outbound traffic and protects it from attack.
Host-Based Firewall
Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?
System and information owners
When should a post-mortem review meeting be held after an intrusion has been properly taken care of?
Within the first week of completing the investigation of the intrusion.
In the context of network enumeration by an outside attacker and possible Distributed Denial of Service (DDoS) attacks, which of the following firewall rules is not appropriate to protect an organization’s internal network?
Allow echo reply outbound
Echo replies outbound should be dropped, not allowed. There is no reason for any internet users to send ICMP ECHO Request to your interal hosts from the internet. If they wish to find out if a service is available, they can use a browser to connect to your web server or simply send an email if they wish to test your mail service.
Echo replies outbound could be used as part of the SMURF amplification attack where someone will send ICMP echo requests to gateways broadcast addresses in order to amplify the request by X number of users sitting behind the gateway.
Which are the two primary types of scanner used for protecting against Malware?
Malware mask/signatures and Heuristic Scanner
Business Continuity Plan (BCP)—
a long-term plan to ensure the continuity of business operations
Continuity of Operations Plan (COOP)—
a plan to maintain operations during a disaster.
Disaster—
any disruptive event that interrupts normal system operations
Disaster Recovery Plan (DRP)—
a short-term plan to recover from a disruptive event
Mean Time Between Failures (MTBF)—
quantifies how long a new or repaired system will run on average before failing
Mean Time to Repair (MTTR)—
describes how long it will take to recover a failed system
Mirroring—
Complete duplication of data to another disk, used by some levels of RAID.
Redundant Array of Inexpensive Disks (RAID)—
A method of using multiple disk drives to achieve greater data reliability, greater speed, or both
Striping—
Spreading data writes across multiple disks to achieve performance gains, used by some levels of RAID
current forensic approach
favors some degree of live forensics that includes taking a bit by bit, or binary image of physical memory, gathering details about running processes, and gathering network connection data.
The general phases of the forensic process are:
the identification of potential evidence;
the acquisition of that evidence;
analysis of the evidence;
and production of a report.
four basic types of disk-based forensic data:
Allocated space— portions of a disk partition that are marked as actively containing data. •
Unallocated space— portions of a disk partition that do not contain active data. This includes portions that have never been allocated, and previously allocated portions that have been marked unallocated. If a file is deleted, the portions of the disk that held the deleted file are marked as unallocated and made available for use.
Slack space— data is stored in specific size chunks known as clusters (clusters are sometimes also referred to as sectors or blocks). A cluster is the minimum size that can be allocated by a file system. If a particular file, or final portion of a file, does not require the use of the entire cluster then some extra space will exist within the cluster. This leftover space is known as slack space: it may contain old data, or can be used intentionally by attackers to hide information.
“Bad” blocks/ clusters/ sectors— hard disks routinely end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will be ignored by the operating system since no data could be read in those defective portions. Attackers could intentionally mark sectors or clusters as being bad in order to hide data within this portion of the disk.
Network Forensics
With network forensics, the entire contents of e-mails, IM conversations, Web surfing activities, and file transfers can be recovered from network equipment and reconstructed to reveal the original transaction.
ESI
Electronically Stored Information
NIST Incident response lifecycle in 4 steps:
- Preparation
- Detection and Analysis
- Containment, Eradication and Recovery
- Post-incident Activity
CISSP Exam IR lifecycle 8 steps:
- Preparation
- Detection (aka Identification)
- Response (aka Containment)
- Mitigation (aka Eradication)
- Reporting
- Recovery
- Remediation
- Lessons Learned
There are four types of IDS events:
true positive,
true negative,
false positive,
false negative.
Network-based Intrusion Detection System (NIDS)
detects malicious traffic on a network. NIDS usually require promiscuous network access in order to analyze all traffic, including all unicast traffic. NIDS are passive devices that do not interfere with the traffic they monitor;
Host-based Intrusion Detection Systems (HIDS) and Host-based Intrusion Prevention Systems (HIPS)
process information within the host. They may process network traffic as it enters the host, but the exam’s focus is usually on files and processes.
ie: Tripwire protects system integrity by detecting changes to critical operating system files. Changes are detected through a variety of methods, including comparison of cryptographic hashes.
Hanlon’s Razor, a maxim that reads: “Never attribute to malice that which is adequately explained by stupidity.”
All Information Security Professionals should understand Hanlon’s Razor. There is plenty of malice in our world: worms, phishing attacks, identity theft, etc. But there is more brokenness and stupidity: most disasters are caused by user error.
Pattern Matching IDS
Discovers known attacks only by pattern recognition. Will not alert on zero day attacks
Protocol Behavior IDS
Monitors protocol (ie: TCP) behavior
Anomaly Detection IDS
works by establishing a baseline of normal traffic. The Anomaly Detection IDS then ignores that traffic, reporting on traffic that fails to meet the baseline.
Endpoint protection features
antivirus, application whitelisting, removable media controls, disk encryption, Host Intrusion Prevention Systems, and desktop firewalls.
honeywall
(honeynet firewall) that is intended to limit the likelihood of the honeynet being used to attack other systems.
The three basic types of backups are:
full backup, incremental backup and differential backup.
Full Backup
The full backup is the easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Full backups contain all of the allocated data on the hard disk,
Incremental backups
Incremental backups only archive files that have changed since the last backup of any kind was performed. Since fewer files are backed up, the time to perform the incremental backup is greatly reduced.
if a data or disk failure occurs and there is a need for recovery, then the most recent full backup and each and every incremental backup since the full backup is required to initiate a recovery.
Differential backup
differential method will back up any files that have been changed since the last full backup.
if a data or disk failure occurs and there is a need for recovery, then only the most recent full backup and most recent differential backup are required to initiate a full recovery.
Archive Bits
file systems, such as Microsoft’s NTFS, support the archive bit. This bit is a file attribute used to determine whether a file has been archived since last modification.
As files are modified, the associated archive bits are set to 1 (indicating the file has changed, and needs to be archived). An incremental backup will archive each modified file and reset the archive bit to 0.
RAID - Redundant Array of Inexpensive Disks
RAID Level Description
RAID 0 Striped Set
RAID 1 Mirrored Set
RAID 3 Byte Level Striping with Dedicated Parity
RAID 4 Block Level Striping with Dedicated Parity
RAID 5 Block Level Striping with Distributed Parity
RAID 6 Block Level Striping with Double Distributed Parity
Three critical RAID terms are:
mirroring,
striping and
parity.
Mirroring
used to achieve full data redundancy by writing the same data to multiple hard disks. Since mirrored data must be written to multiple disks the write times are slower (though caching by the RAID controller may mitigate this).
Striping
Striping is a RAID concept that is focused on increasing the read and write performance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk. This parallelization provides a performance increase, but does not aid in data redundancy.
Parity
Parity is a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.
RAID 0 – Striped Set
RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID.
RAID 1 – Mirrored Set
RAID 1 creates/ writes an exact duplicate of all data
to an additional disk. The write performance is decreased, though the read performance can see an increase. Disk cost is one of the most troubling aspects of this level of RAID, as at least half of all disks are dedicated to redundancy.
RAID 2 - Hamming Code
RAID 2 is not considered commercially viable for hard disks and is not used. This level of RAID would require either 14 or 39 hard disks and a specially designed hardware controller, which makes RAID 2 incredibly cost prohibitive.
RAID 3 – Striped Set with Dedicated Parity (Byte Level)
With RAID 3, data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.
RAID 4 – Striped Set with Dedicated Parity (Block Level)
RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level. Like RAID 3, RAID 4 employs a dedicated parity drive.
RAID 5 – Striped Set with Distributed Parity
Most popular
RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages block level striping. Like RAIDs 3 and 4, RAID 5 writes parity information that is used for recovery purposes. However, unlike RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 distributes the parity information across multiple disks. One of the reasons for RAID 5’ s popularity is that the disk cost for redundancy is lower than that of a Mirrored set. Another important reason for this level’s popularity is the support for both hardware and software based implementations, which significantly reduces the barrier to entry for RAID configurations. RAID 5 allows for data recovery in the event that any one disk fails.
RAID 6 – Striped Set with Dual Distributed Parity
While RAID 5 accommodates the loss of any one drive in the array, RAID 6 can allow for the failure of two drives and still function. This redundancy is achieved by writing the same parity information to two different disks.
RAID 1 + 0 or RAID 10
RAID 1 + 0 or RAID 10 is an example of what is known as nested RAID or multi-RAID, which simply means that one standard RAID level is encapsulated within another. With RAID 10, which is also commonly written as RAID 1 + 0 to explicitly indicate the nesting, the configuration is that of a striped set of mirrors.
Raid 10 or 1+ 0 : Is implemented as a striped array whose segments are RAID 1 arrays. RAID 10 has the same fault tolerance as RAID level 1. High I/O rates are achieved by striping RAID 1 segments. Under certain circumstances, RAID 10 array can sustain multiple simultaneous drive failures. This is an excellent solution for sites that would have otherwise gone with RAID 1 but need some additional performance boost.
High Availability Cluster (HA)
A high-availability cluster employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly leveraged to maintain the availability of the service or application being provided.
The primary implementation consideration for high-availability clusters is whether each node of a HA cluster is actively processing data in advance of a failure. This is known as an active-active configuration, and is commonly referred to as load balancing.
Business Continuity Planning (BCP)
The overarching goal of a BCP is for ensuring that the business will continue to operate before, throughout, and after a disaster event is experienced. The focus of a BCP is on the business as a whole, and ensuring that those critical services that the business provides or critical functions that the business regularly performs can still be carried out both in the wake of a disruption as well as after the disruption has been weathered.
Business Continuity Planning provides a long-term strategy for ensuring the continued successful operation of an organization in spite of inevitable disruptive events and disasters.
Disaster Recovery Planning (DRP)
Disaster Recovery Plan is more tactical in its approach. The DRP provides a short-term plan for dealing with specific disruptions. Mitigating a malware infection that shows risk of spreading to other systems is an example of a specific IT-oriented disruption that a DRP would address. The DRP focuses on efficiently attempting to mitigate the impact of a disaster and the immediate response and recovery of critical IT systems in the face of a significant disruptive event. Disaster Recovery Planning is considered tactical rather than strategic and provides a means for immediate response to disasters. The DRP does not focus on long-term business impact in the same fashion that a BCP does.
Relationship between BCP and DRP
The Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the Disaster Recovery Plan.
The Business Continuity Plan attends to ensuring that the business is viable before, during, and after significant disruptive events. This continued viability would not be possible without being able to quickly recover critical systems, which is fundamentally what a Disaster Recovery Plan provides.
One means of distinguishing Business Continuity Plan from the Disaster Recovery Plan is realizing that the BCP is concerned with the business-critical function or service provided as opposed to the systems that might typically allow that function to be performed.
The three common ways of categorizing the causes for disasters
are the threat agents
natural,
human, or
environmental in nature.
Natural threat
The most obvious type of threat that can result in a disaster are naturally occurring. This category includes threats such as earthquakes, hurricanes, tornadoes, floods, and some types of fires.
Human threat
Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, social engineering, etc. Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness served as a source of disruption.