Domain 7 - Security Operations Flashcards

1
Q

EVIDENCE LIFECYCLE

A
  1. Discovery
  2. Protection
  3. Recording
  4. Collection and identification
  5. Analysis
  6. Storage, preservation, transportation
  7. Present in court
  8. Return to owner
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Direct Evidence:

A

Can prove fact by itself and does not need any type of backup.
• Testimony from a witness –one of their 5 senses:
Oral Evidence is a type of Secondary Evidence so the case can’t simply stand on it alone
But it is Direct Evidence and does not need other evidence to substantiate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Circumstantial evidence

A
  • Used to help assume another fact

* Cannot stand on its own to directly prove a fact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Corroborative Evidence:

A

Supports or substantiates other evidence presented in a case

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The Process - Due Process

A

Prepare questions and topics, put witness at ease, • • • • • Summarize information
interview/interrogation plan
• Have one person as lead and 1-2 others involved as well
• never interrogate or interview alone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Admissible Evidence

A

• The evidence must be relevant to determining a fact.
• The fact that the evidence seeks to determine must be material (that is, related) to the case.
• The evidence must be competent, meaning it must have been obtained legally. Evidence that
results from an illegal search would be inadmissible because it is not competent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Five rules of evidence:

A
  • Be authentic; evidence tied back to scene
  • Be accurate; maintain authenticity and veracity
  • Be complete; all evidence collected, for & against view
  • Be convincing; clear & easy to understand for jury
  • Be admissible; be able to be used in court
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Forensic Disk Controller

A

Intercepting and modifying or discarding commands sent to the storage
device
• Write Blocking, intercepts write commands sent to the device and prevents them from
modifying data on the device
• Return data requested by a read operation
• Returning access-significant information from device
• Reporting errors from device to forensic host
LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Criminal law

A

Individuals that violate government laws. Punishment mostly imprisonment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Civil law

A

wrongs against individual or organization that result in a damage or loss. Punishment can
include financial penalties. AKA tort law (I’ll Sue You!) Jury decides liability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Administrative/Regulatory law

A

how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Uniform Computer Information Transactions Act (UCITA)

A

Is a federal law that provides a
common framework for the conduct of computer-related business transactions. UCITA contains
provisions that address software licensing. The terms of UCITA give legal backing to the previously
questionable practices of shrink-wrap licensing and click-wrap licensing by giving them status as
legally binding contracts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Enticement

A

Is the legal action of luring an intruder, like in a honeypot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Entrapment

A

Is the illegal act of inducing a crime, the individual had no intent of committing the crime
at first Federal Sentencing Guidelines provides judges and courts procedures on the prevention,
detection and reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security incident and event management

SIEM

A

Automating much of the routine work of log review.
Provide real‐time analysis of events occurring on systems throughout an organization but don’t
necessarily scan outgoing traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Network-based DLP -

A

Scans all outgoing data looking for specific data. Administrators would place it
on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing
restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP
system will send an alert, such as an email to an administrator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Endpoint-based DLP

A

Can scan files stored on a system as well as files sent to external devices, such
as printers. For example, an organization endpoint-based DLP can prevent users from copying
sensitive data to USB flash drives or sending sensitive data to a printer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

3 states of information

A
  • data at rest (storage)
  • data in transit (the network)
  • data being processed (must be decrypted) / in use / end-point
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

FAIL SAFE:

A

doors UNLOCK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

FAIL SECURE

A

doors LOCK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
Incident Response (624)
Events:
A

Anything that happens. Can be documented verified and analyzed

22
Q

Security Incident -

A

event or series of events that adversely impact the ability of an organization to do
business. Suspected attack.

23
Q

Incident Response Lifecycle

A

Detection→Response→Mitigation→Reporting→Recovery→Remediation→Lessons Learned→cycle
back to respons

24
Q

RAID 0

A

Striped, one large disk out of several –Improved performance but no fault tolerance

25
Q

RAID 1

A

Mirrored drives – fault tolerance from disk errors and single disk failure, expensive;

26
Q

RAID 3

A

Striped on byte level with extra parity drive – Improved performance and fault tolerance, but
parity drive is a single point of failure and write intensive. 3 or more drives

27
Q

RAID4

A

Same as Raid 3 but striped on block level; 3 or more drives

28
Q

RAID 5

A

Striped on block level, parity distributed over all drives – requires all drives but one to be
present to operate hot-swappable. Interleave parity, recovery control; 3 or more drives

29
Q

RAID 6

A

Dual Parity, parity distributed over all drives – requires all drives but two to be present to
operate hot-swappable

30
Q

RAID 7

A

Is same as raid5 but all drives act as one single virtual disk

31
Q

Electronic vaulting

A

Transfer of backup data to an offsite storage location via communication lines

32
Q

Remote Journaling

A

Parallel processing of transactions to an alternative site via communication
lines

33
Q

Database shadowing

A

Live processing of remote journaling and creating duplicates of the database
sets to multiple servers

34
Q

Clearing Data

A

Overwriting media to be reused

35
Q

Purging

A

Degaussing or overwriting to be removed

36
Q

Desk Check

A

review plan contents

37
Q

Table-top exercise

A

Members of the disaster recovery team gather in a large conference room and roleplay a disaster scenario.

38
Q

Simulation tests

A

Are more comprehensive and may impact one or more noncritical business units of
the organization, all support personnel meet in a practice room

39
Q

Parallel tests

A

Involve relocating personnel to the alternate site and commencing operations there.
Critical systems are run at an alternate site, main site open also

40
Q

Full-interruption tests

A

Involve relocating personnel to the alternate site and shutting down operations
at the primary site.

41
Q

BCP Scope and plan initiation

A

Consider amount of work required, resources required,

management practice

42
Q

Business Continuity Plan development

A
  1. Use BIA to develop BCP (strategy development phase bridges the gap between the
    business impact assessment and the continuity planning phases of BCP development)
  2. Testing
43
Q

Plan approval and implementation

A
  1. Management approval

2. Create awareness

44
Q

Warded lock

A

hanging lock with a key (padlock)

45
Q

Tumbler lock

A

cylinder slot

46
Q

Cipher Lock

A

Electrical

47
Q

Device lock

A

bolt down hardware

48
Q

Preset

A

ordinary door

lock

49
Q

Raking

A

circumvent a pin tumbler lock

50
Q

Entitlement

A

Refers to the amount of privileges granted to users, typically when first provisioning an
account. A user entitlement audit can detect when employees have excessive privileges

51
Q

Bind variables

A

Are placeholders for literal values in SQL query being sent to the database on a server. Bind variables in SQL used to enhance performance of a database