Domain 7: Security Operations

Question 1

Continuity Planning Subtasks (5)

Answer 1

Strategy Development, Provisions and Processes ,Plan Approval, Plan Implementation, Training and Education

Question 2

Strategy Devlopment

Answer 2

Bridges gap btwn BIA and Continuity Planning in BCP - determines which risks are acceptable which must be mitigated

Question 3

Provisions and Processes

Answer 3

specific procedures and mechanisms that will mitigate the risk deemed unacceptable

Question 4

Three Categories of assets in BCP Provisions and Processes

Answer 4

People, Buildings/Facilities, Infrasctructure

Question 5

Important Components of a Written BCP (11)

Answer 5

Continuity Planning Goals, Statement of Importance, Statement of Priorities, Statement of Organizational Responsibility, Statement of Urgency and Timing, Risk Assessment, Risk Acceptance/Mitigation, Vital Records Program, Emergency Response Guidelines, Maintenance, Testing and Exercise

Question 6

Importance of a Written BCP (3)

Answer 6

Historical Benefit, Sanity Check, Reference document

Question 7

Entitlement

Answer 7

amount of privileges granted to users

Question 8

Aggregation

Answer 8

amount of privileges that users collect over time

Question 9

Transitive Trust

Answer 9

extends the trust between two security domains to all their sub domains

Question 10

Common methods for managing security in the information life cycle

Answer 10

Marking Data, Handling data, storing Data, Destroying Data

Question 11

SLA

Answer 11

Service level agreement - agreement between and org and vendor that stipulated performance expectations

Question 12

MOU

Answer 12

documents the intent of two entities to work together toward a common goal

Question 13

ISA

Answer 13

info on how the two parties establish, maintain, and disconnect the connection

Question 14

Virtual Machines

Answer 14

run as guest OSs on physical servers

Question 15

SDNs

Answer 15

Software Defined Networks - uses simple network devices other than routers and switches

Question 16

VSANs

Answer 16

Virtual Storage Area Networks - virtual dedicated high speed network that hosts multiple storage devices

Question 17

What is the primary software component in virtualization?

Answer 17

Hypervisor

Question 18

Hypervisor

Answer 18

managers the VMs, virtual data storage, and virtual network components

Question 19

Cloud Computing

Answer 19

on demand access to computing resources from almost anywhere

Question 20

SaaS

Answer 20

Software as a Service - fully functional applications (Google Docs), Consumes do not manage or control any assets

Question 21

PaaS

Answer 21

Platform as a Service - computing platform (hw, OS, application), consumers manager the applications and maybe some config settings

Question 22

IaaS

Answer 22

Infrastructure as a Service - servers, storage, networking resources, consumers install OS and applications and perform all maintenance

Question 23

What are the 4 cloud models?

Answer 23

Public, Private, Hybrid, and Community

Question 24

Public Cloud Model

Answer 24

assets available for any consumer to rent or lease

Question 25

Private Cloud Model

Answer 25

assets are for a single organization

Question 26

Community Cloud Model

Answer 26

assets are provided to two or more organizations

Question 27

Baseline

Answer 27

starting point for configuration of a system

Question 28

Unauthorized Changes Directly affect the __ in the CIA triad

Answer 28

Availability

Question 29

Vulnerability Management

Answer 29

regularly identifying, evaluating and mitigating vulnerabilities

Question 30

CVE

Answer 30

common vulnerability and exposure - dictionary for a standard convention in identifying vulnerabilities

Question 31

Incident

Answer 31

Any event that has a negative effect on the CIA of an org’s asset

Question 32

Computer Security Incident

Answer 32

an incident that is a result of an attack

Question 33

Incident Response Steps

Answer 33

Detection, Response, Mitigation, Reporting, Recovery, Remediation, Lessons Learned

Question 34

DoS Attacks

Answer 34

attacks that prevent a system from processing or responding to legitimate traffic or requests

Question 35

DDoS

Answer 35

DoS attack using multiple attack systems

Question 36

DRDoS

Answer 36

Distributed Reflective DoS, doesn’t attack victim directly, manipulates traffic to reflect attacks back

Question 37

SYN Flood attack

Answer 37

sends multiple SYN flags, never completed conversation

Question 38

Smurf Attack

Answer 38

floods the victim with ICMP echo packets

Question 39

Fraggle Attacks

Answer 39

floods victims with UDP Packets over port 7 and 19

Question 40

Ping Flood Attack

Answer 40

floods a victim with ping requests

Question 41

Ping-of-death Attack

Answer 41

send oversized ping packet

Question 42

Teardrop Attack

Answer 42

attacker fragments traffic in such a way that a system is unable to put data packets back together

Question 43

Land Attack

Answer 43

attacker sends spoofed SYN packets suing the victims IP address as source and destination

Question 44

Zero-day Exploit

Answer 44

attack on a system exploiting an unknown vulnerability

Question 45

Malicious Code

Answer 45

any script or program that performs an unwanted, unauthorized, or unknown activity

Question 46

Drive-by Download

Answer 46

code downloaded and installed on a user’s system without their knowledge

Question 47

Man in the Middle Attack

Answer 47

attacker gains a logical position between two endpoints of communication

Question 48

War Dialing

Answer 48

using a modem to search for a system that accepts inbound comms attempts, newer forms use VoIP

Question 49

Knowledge Based Detection

Answer 49

signature or pattern based, uses database of known attacks

Question 50

Behavior Based Detection

Answer 50

heuristics or anomaly based, creates a baseline of normal

Question 51

Passive vs Active IDS Response

Answer 51

Passive is notifications, active modifies the environment

Question 52

Darknet

Answer 52

Portion of allocated IP addresses within a network that are not used

Question 53

Pseudo Flaws

Answer 53

false vulnerabilities intentionally implanted in a system to tempt attackers

Question 54

Padded Cells

Answer 54

similar to honeypot but performs intrusion isolation

Question 55

Whitelisting

Answer 55

Identifies list of apps authorized to run

Question 56

Blacklisting

Answer 56

Identified list of apps unauthorized to run

Question 57

Logging

Answer 57

process of recording info about events to a log file or database

Question 58

Monitoring

Answer 58

process of reviewing information logs looking for something specific

Question 59

Log Analysis

Answer 59

detailed and systematic form of monitoring

Question 60

SIEM

Answer 60

Security Information and Event Management - provide real time analysis of events

Question 61

Sampling

Answer 61

process of extracting specific elements from a large collection of data to construct something meaningful

Question 62

Clipping

Answer 62

form of nonstatistical sampling

Question 63

Egress Monitoring

Answer 63

monitoring outgoing traffic to prevent data exfiltration

Question 64

What are the two primary types of DLP systems?

Answer 64

Network based and endpoint based

Question 65

Network Based DLP

Answer 65

scans all outgoing data looking for specific data

Question 66

Endpoint-based DLP

Answer 66

scans filed stored on the system as well as files sent to external devices (printers, flash drives, etc)

Question 67

Disaster Recover Planning steps in where ___ leaves off

Answer 67

BCP

Question 68

Single Point of Failure

Answer 68

any component that can cause an entire system to fail

Question 69

Fault Tolerance

Answer 69

the ability of a system to suffer a fault but continue to operate

Question 70

System Resilence

Answer 70

the ability of a system to maintain an acceptable level of service during an adverse event

Question 71

RAID-0

Answer 71

Striping, uses two or more disks and improves disk performance but does not provide fault tolerance

Question 72

RAID-1

Answer 72

Mirroring - uses two disks which both hold the same data

Question 73

RAID-5

Answer 73

Striping with Parity - uses three or more disks, provides fault tolerance but system will operate slower

Question 74

RAID-10

Answer 74

aka RAID 1 +0, a stripe of mirrors, two or more mirrors configured in a stripe

Question 75

UPS

Answer 75

Uninterruptible Power Supply, provides btwn 5 and 30 min of power

Question 76

Fail Secure System

Answer 76

systems will default to a secure state in the event of a failure

Question 77

Fail Open System

Answer 77

fails to an open state, granting all access

Question 78

4 Types of Trusted Recovery

Answer 78

Manual Recovery, Automated Recovery, Automated Recovery without Undue Loss, Function Recovery

Question 79

Function Recovery

Answer 79

automatically recover specific functions

Question 80

Manual Recovery

Answer 80

does not fail in secure state, admin manually takes actions for a secured or trusted recovery

Question 81

Automated Recovery

Answer 81

system performs trusted recovery activities to restore itself against at least one type of failure

Question 82

Automated Recovery without Undue Loss

Answer 82

system performs trusted recovery activities to restore itself against at least one type of failure + specific objects are protected against loss

Question 83

Bandwidth

Answer 83

network capacity available to carry communications

Question 84

Latency

Answer 84

time it takes a packet to travel from source to destination

Question 85

JItter

Answer 85

variation in latency between different packets

Question 86

The DRP team must first __________

Answer 86

identify the high priority business units

Question 87

Cold Sites

Answer 87

standby facilities with HVAC, power, etc and nothing else, takes weeks to set up

Question 88

Hot site

Answer 88

up to date data and facilities, may be ready instantaneously

Question 89

Warm Sites

Answer 89

contains equipment and data circuits, usually 12-24 hours to activate

Question 90

Service Bureau

Answer 90

Company that leases computer time, owns large server farms

Question 91

MAAs

Answer 91

Mutual Assistance Agreements - two orgs pledge to assist each other

Question 92

Electronic Vaulting

Answer 92

database backups are moved to a remote site using bulk transfers

Question 93

Remote Journaling

Answer 93

data transfers are performed more frequently (once/hour)

Question 94

Remote Mirroring

Answer 94

live database server is maintained at the backup site

Question 95

Full Backups

Answer 95

complete copy, resets archive bit

Question 96

Incremental Backups

Answer 96

copy only files that have been modified since the last full or incremental backup, resets archive bit

Question 97

Differential Backups

Answer 97

copy all files modified since last full backup, does not reset archive bit

Question 98

Software Escrow Arangements

Answer 98

third party sw developer provides copies of source code to another organization - in case they do not continue support or shut down

Question 99

Recovery vs Restoration

Answer 99

Recovery is short time frame, implement and maintain operations at the recovery site. Restoration restores primary site to operational capacity

Question 100

3 goals of a Read-through test

Answer 100

ensures you have key personnel aware of roles, provides individuals an opportunity to review the plans and update, update personnel who have left

Question 101

Structured Walk Through

Answer 101

table top exercise - role play scenario

Question 102

Simulation Test

Answer 102

structured walk through + testing of scenarios

Question 103

Parallel Test

Answer 103

relocate personnel to alternate site and implement site activation procedures

Question 104

Full-Interruption Test

Answer 104

shut down operations at the primary site and shifting them to the recovery site

Question 105

Operational Investigations

Answer 105

examine issues related to the organization’s computing infrastructure and have the primary goal of resolving operational issues

Question 106

Criminal Investigations

Answer 106

may result in charging suspects with a crime

Question 107

Regulatory Investigations

Answer 107

when the government believes that an individual or corporation has violated administrative law

Question 108

9 Steps of Electronic Discovery

Answer 108

Information Governance, Identification, Preservation, Collection, Processing, Review, Analysis, Production, Presentation

Question 109

What are the 3 requirements of admissible evidence?

Answer 109

relevant, related (Material) to the case, competent (obtained legally)

Question 110

Real Evidence

Answer 110

physical evidence

Question 111

Documentary Evidence

Answer 111

written items

Question 112

Testimonial Evidence

Answer 112

testimony of a witness

Question 113

Media Analysis

Answer 113

identification and extraction of information from storage media

Question 114

Network Analysis

Answer 114

activity over network

Question 115

Hardware/Embedded Device Analysis

Answer 115

review the contents of hw and embedded devices

Question 116

Military and Intelligence Attacks

Answer 116

launched to obtain secret and restricted information from law enforcement or military

Question 117

Business Attacks

Answer 117

illegally obtaining an org’s confidential information

Question 118

Financial Attacks

Answer 118

unlawfully obtain money or services

Question 119

Grudge Attacks

Answer 119

attacks carried out to damage an org or person

Question 120

Thrill Attacks

Answer 120

script kiddies, often for the fun of it

Question 121

Event

Answer 121

any occurrence that takes place during a certain period of time

Question 122

Incident

Answer 122

An event that has a negative outcome affecting the CIA

Question 123

Scanning

Answer 123

similar to a burglar casing a neighborhood

Question 124

Compromise

Answer 124

any unauthorized access to the system of information the system stores

Question 125

CIRT

Answer 125

computer incident response team

Question 126

3 Step Incident Response Process

Answer 126

1. Detection and Identification
2. Response and Reporting
3. Recover and Remediation

Question 127

1. Detection and Identification

Answer 127

detect security incident and notify appropriate personnel

Question 128

2. Response and Reporting

Answer 128

Isolation and Containment, Gathering Evidence

Question 129

3. Recovery and Restoration

Answer 129

restore environment to normal operating state and complete a lessons learned process

Question 130

5 rules of digital evidence

Answer 130

authentic, accurate, convincing, complete, admissable