Domain 7: Security Operations

Question 1

Preparation

Answer 1

These include training, writing incident response policies and procedures, providing tools such as laptops with sniffing software, crossover cables, original OS media, removable drives, etc. Preparation should include anything that may be required to handle an incident, or which will make incident response faster and more effective.

Question 2

Detection

Answer 2

Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident

Question 3

Response

Answer 3

The response phase (aka containment) of incident response is the point at which the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. Responses might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident

Question 4

The mitigation phase

Answer 4

involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase

Question 5

Reporting

Answer 5

Reporting must begin immediately upon detection of malicious activity. Reporting contains two primary areas of focus: technical and non-technical reporting. The incident handling teams must report the technical details of the incident as they begin the incident handling process, while maintaining sufficient bandwidth to also notify management of serious incident

Question 6

Recovery

Answer 6

The recovery phase involves cautiously restoring the system or systems to operational status. Typically, the business unit responsible for the system will dictate when the system will go back online

Question 7

Remediation

Answer 7

Remediation steps occur during the mitigation phase, where vulnerabilities within the impacted system or systems are mitigated

Question 8

four types of IDS

Answer 8

True Positive
True Negative
• False Positive
False Negative:

Question 9

True Positive

Answer 9

Conficker worm is spreading on a trusted network, and NIDS alerts

Question 10

True Negative

Answer 10

User surfs the Web to an allowed site, and NIDS is silent

Question 11

False Positive

Answer 11

User surfs the Web to an allowed site, and NIDS alerts

Question 12

False Negative:

Answer 12

Conficker worm is spreading on a trusted network, and NIDS is silent

Question 13

Difference between active NIDS AND NIPS

Answer 13

. Architecturally, an active response NIPS is like the NIDS in Figure 8.5; the difference is the monitoring interface is read/write.N

Question 14

Tripwire

Answer 14

Tripwire protects system integrity by detecting changes to critical operating system files. Changes are detected through a variety of methods, including comparison of cryptographic hashes.

Question 15

Pattern Matching

Answer 15

works well for detecting known attacks, but usually does poorly against new attacks.

Question 16

The Security Information and Event Management (SIEM) is the primary tool used to

Answer 16

ease the correlation of data across disparate sources.

Question 17

Typical challenges associated with endpoint security are associated

Answer 17

with volume considerations: vast number of products/systems must be managed; significant data must be analyzed and potentially retained.

Question 18

Application whitelisting is superior to application

Answer 18

blacklisting

Question 19

A honeypot

Answer 19

is a system designed to attract attackers. This allows information security researchers and network defenders to better analyze network-based attacks. Honeypots have no production value beyond research.

Question 20

Low-interaction honeypots

Answer 20

usually by scripting network actions (such as simulating network services by displaying banners)

Question 21

High-interaction honeypots

Answer 21

run actual operating systems, in hardware or virtualized

Question 22

honeynet

Answer 22

Honeynets can include a honeywall (honeynet firewall) that is intended to limit the likelihood of the honeynet being used to attack other systems.

Question 23

Security baselining

Answer 23

is the process of capturing a point in time understanding of the current system security configuration.

Question 24

The three basic types of backups are

Answer 24

full backup, incremental backup and differential backup.

Question 25

Incremental backups

Answer 25

only archive files that have changed since the last backup of any kind was performed.
. Though the time to perform each incremental backup is extremely short, the downside is that a full restore can require quite a few tapes, especially if full backups are performed less frequently

Question 26

Differential

Answer 26

Another approach to data backup is the differential backup method. While the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup.

Question 27

Incremental backups

Answer 27

Incremental backups only archive files that have changed since the last backup of any kind was performed

Question 28

differential backup

Answer 28

While the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup.

Question 29

RAID

Answer 29

The goal of a Redundant Array of Inexpensive Disks (RAID) is to help mitigate the risk associated with hard disk failures.

Question 30

Three critical RAID terms are:

Answer 30

mirroring, striping and parity.

Question 31

Mirroring

Answer 31

is the most obvious and basic of the fundamental RAID concepts, and is simply used to achieve full data redundancy by writing the same data to multiple hard disks

Question 32

Striping

Answer 32

s a RAID concept that is focused on increasing the read and write performance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk. This parallelization provides a performance increase, but does not aid in data redundancy.

Question 33

Parity

Answer 33

s a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.

Question 34

RAID 0

Answer 34

RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID

Question 35

RAID 1

Answer 35

This level of RAID is perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk. The write performance is decreased, though the read performance can see an increase. Disk cost is one of the most troubling aspects of this level of RAID, as at least half of all disks are dedicated to redundancy

Question 36

RAID 3

Answer 36

Striping is desirable due to the performance gains associated with spreading data across multiple disks. However, striping alone is not as desirable due to the lack of redundancy. With RAID 3, data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.

Question 37

RAID 4

Answer 37

RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level. Like RAID 3, RAID 4 employs a dedicated parity drive.

Question 38

RAID 5

Answer 38

One of the most popular RAID configurations is that of RAID 5, Striped Set with Distributed Parity. Again with RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages block level striping. Like RAIDs 3 and 4, RAID 5 writes parity information that is used for recovery purposes. However, unlike RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 distributes the parity information across multiple disks. One of the reasons for RAID 5’s popularity is that the disk cost for redundancy is lower than that of a Mirrored set. Another important reason for this level’s popularity is the support for both hardware and software based implementations, which significantly reduces the barrier to entry for RAID configurations. RAID 5 allows for data recovery in the event that any one disk fails

Question 39

active-active configuration

Answer 39

high-availability clusters is whether each node of a HA cluster is actively processing data in advance of a failure.

Question 40

active-passive

Answer 40

hot standby, configuration in which the backup systems only begin processing when a failure state is detected

Question 41

Business Continuity Planning provides the …… strategic business oriented plan for continued operation after a disruptive event, the Disaster Recovery Plan is more tactical in its approach

Answer 41

long-term

Question 42

Disaster Recovery Planning is considered ……rather than strategic and provides a means for immediate response to disasters. The DRP does not focus on long-term business impact in the same fashion that a BCP does

Answer 42

tactical

Question 43

The Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the ………

Answer 43

Disaster Recovery Plan

Question 44

The Business Impact Analysis (BIA)

Answer 44

is the formal method for determining how a disruption to the IT system(s) of an organization will impact the organization’s requirements, processes, and interdependencies with respect the business mission. [19] It is an analysis to identify and prioritize critical IT systems and components. It enables the BCP/DRP project manager to fully characterize the IT contingency requirements and priorities. [20] The objective is to correlate the IT system components with the critical service it supports. It also aims to quantify the consequence of a disruption to the system component and how that will affect the organization

Question 45

The primary goal of the BIA

Answer 45

is to determine the Maximum Tolerable Downtime (MTD) for a specific IT asset.

Question 46

the BIA is comprised of two processes.

Answer 46

First, identification of critical assets must occur. Second, a comprehensive risk assessment is conducted.

Question 47

Maximum Tolerable Downtime (MTD)

Answer 47

which describes the total time a system can be inoperable before an organization is severely impacted.

Question 48

Reconstitution is the process

Answer 48

of moving an organization from the disaster recovery to business operations.

Question 49

The Recovery Point Objective (RPO)

Answer 49

is the amount of data loss or system inaccessibility (measured in time) that an organization can withstand.

Question 50

The Recovery Time Objective (RTO)

Answer 50

describes the maximum time allowed to recover business or IT systems.

Question 51

Work Recovery Time (WRT)

Answer 51

escribes the time required to configure a recovered system. “Downtime consists of two elements, the systems recovery time and the work recovery time

Question 52

Mean Time Between Failures (MTBF)

Answer 52

quantifies how long a new or repaired system will run before failing.

Question 53

The Mean Time to Repair (MTTR)

Answer 53

describes how long it will take to recover a specific failed system

Question 54

Minimum Operating Requirements (MOR)

Answer 54

describe the minimum environmental and connectivity requirements in order to operate computer equipmen

Question 55

Hot site

Answer 55

A hot site will have the capability to allow the organization to resume critical operations within a very short period of time—sometimes in less than an hour

Question 56

Warm Site

Answer 56

1–3 days in order

Question 57

A cold site

Answer 57

usually measured in weeks, not days

Question 58

Continuity of Operations Plan (COOP)

Answer 58

describes the procedures required to maintain operations during a disaster. This includes transfer of personnel to an alternate disaster recovery site, and operations of that site.

Question 59

Business Recovery Plan (BRP)

Answer 59

details the steps required to restore normal business operations after recovering from a disruptive event. This may include switching operations from an alternate site back to a (repaired) primary site.

Question 60

The Occupant Emergency Plan (OEP)

Answer 60

provides the “response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property

Question 61

The Crisis Management Plan (CMP)

Answer 61

designed to provide effective coordination among the managers of the organization in the event of an emergency or disruptive event.

Question 62

RAID systems with hot-swapping disks are able to ……

Answer 62

replace drives while the system is running.

Question 63

RAID parity is used to ….

Answer 63

rebuild lost or corrupted data

Question 64

STRIPPING

Answer 64

This activity divides and writes the data over several drives. Both write and read performance are increased dramatically because more than one head is reading or writing data at the same time.

Question 65

Hierarchical storage management (HSM) provides

Answer 65

continuous online backup functionality

Question 66

A storage area network (SAN),

Answer 66

on the other hand, consists of numerous storage devices linked together by a high-speed private network and storage-specific switches.

Question 67

Hierarchical storage management (HSM)….

Answer 67

provides continuous online backup functionality

Question 68

clustering is a fault-tolerant server technology that provides..

Answer 68

Clustering provides for availability and scalability

Question 69

……..provides for availability and scalability. It groups physically different systems and combines them logically, which helps to provide immunity to faults and improves performance.

Answer 69

Clustering

Question 70

A differential process backs up

Answer 70

backs up the files that have been modified since the last full backup

Question 71

incremental process backs up all the files

Answer 71

that have been modified since the last full backup

Question 72

A continuity of operations (COOP) plan

Answer 72

establishes senior management and a headquarters after a disaster.

Question 73

cyber-incident response

Answer 73

focuses on malware, hackers, intrusions, attacks, and other security issues. It outlines procedures for incident response with the goal of limiting damage, minimizing recovery time, and reducing costs. A cyber-incident response plan should include a description of the different types of incidents, who to call when an incident occurs, and each person’s responsibilities, procedures for addressing different types of incidents, and forensic procedures. The plan should be tested, and all participants should be trained on their responsibilities.

Question 74

Occupant emergency plan

Answer 74

establishes personnel safety and evacuation procedures. The goal of an occupant emergency plan is to reduce the risk to personnel and minimize the disruption to work and operations in the case of an emergency

Question 75

IT contingency plan

Answer 75

stablishes procedures for the recovery of systems, networks, and major applications after disruptions. Steps for creating IT contingency plans are addressed in the NIST 800-34 document.

Question 76

Remote journaling

Answer 76

is a technology used to transmit data to an offsite facility, but this usually only includes moving the journal or transaction logs to the offsite facility, not the actual files

Question 77

electronic vaulting

Answer 77

commonly takes place between databases and makes copies of files as they are modified and periodically transmits them to an offsite backup site