Domain 7 - Security Operations

Question 1

EVIDENCE LIFECYCLE

Answer 1

1. Discovery
2. Protection
3. Recording
4. Collection and identification
5. Analysis
6. Storage, preservation, transportation
7. Present in court
8. Return to owner

Question 2

Direct Evidence:

Answer 2

Can prove fact by itself and does not need any type of backup.
• Testimony from a witness –one of their 5 senses:
Oral Evidence is a type of Secondary Evidence so the case can’t simply stand on it alone
But it is Direct Evidence and does not need other evidence to substantiate

Question 3

Circumstantial evidence

Answer 3

• Used to help assume another fact

* Cannot stand on its own to directly prove a fact

Question 4

Corroborative Evidence:

Answer 4

Supports or substantiates other evidence presented in a case

Question 5

The Process - Due Process

Answer 5

Prepare questions and topics, put witness at ease, • • • • • Summarize information
interview/interrogation plan
• Have one person as lead and 1-2 others involved as well
• never interrogate or interview alone

Question 6

Admissible Evidence

Answer 6

• The evidence must be relevant to determining a fact.
• The fact that the evidence seeks to determine must be material (that is, related) to the case.
• The evidence must be competent, meaning it must have been obtained legally. Evidence that
results from an illegal search would be inadmissible because it is not competent.

Question 7

Five rules of evidence:

Answer 7

• Be authentic; evidence tied back to scene
• Be accurate; maintain authenticity and veracity
• Be complete; all evidence collected, for & against view
• Be convincing; clear & easy to understand for jury
• Be admissible; be able to be used in court

Question 8

Forensic Disk Controller

Answer 8

Intercepting and modifying or discarding commands sent to the storage
device
• Write Blocking, intercepts write commands sent to the device and prevents them from
modifying data on the device
• Return data requested by a read operation
• Returning access-significant information from device
• Reporting errors from device to forensic host
LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS

Question 9

Criminal law

Answer 9

Individuals that violate government laws. Punishment mostly imprisonment

Question 10

Civil law

Answer 10

wrongs against individual or organization that result in a damage or loss. Punishment can
include financial penalties. AKA tort law (I’ll Sue You!) Jury decides liability

Question 11

Administrative/Regulatory law

Answer 11

how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties.

Question 12

Uniform Computer Information Transactions Act (UCITA)

Answer 12

Is a federal law that provides a
common framework for the conduct of computer-related business transactions. UCITA contains
provisions that address software licensing. The terms of UCITA give legal backing to the previously
questionable practices of shrink-wrap licensing and click-wrap licensing by giving them status as
legally binding contracts.

Question 13

Enticement

Answer 13

Is the legal action of luring an intruder, like in a honeypot

Question 14

Entrapment

Answer 14

Is the illegal act of inducing a crime, the individual had no intent of committing the crime
at first Federal Sentencing Guidelines provides judges and courts procedures on the prevention,
detection and reporting

Question 15

Security incident and event management

SIEM

Answer 15

Automating much of the routine work of log review.
Provide real‐time analysis of events occurring on systems throughout an organization but don’t
necessarily scan outgoing traffic

Question 16

Network-based DLP -

Answer 16

Scans all outgoing data looking for specific data. Administrators would place it
on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing
restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP
system will send an alert, such as an email to an administrator.

Question 17

Endpoint-based DLP

Answer 17

Can scan files stored on a system as well as files sent to external devices, such
as printers. For example, an organization endpoint-based DLP can prevent users from copying
sensitive data to USB flash drives or sending sensitive data to a printer

Question 18

3 states of information

Answer 18

• data at rest (storage)
• data in transit (the network)
• data being processed (must be decrypted) / in use / end-point

Question 19

FAIL SAFE:

Answer 19

doors UNLOCK

Question 20

FAIL SECURE

Answer 20

doors LOCK

Question 21

Incident Response (624)
Events:

Answer 21

Anything that happens. Can be documented verified and analyzed

Question 22

Security Incident -

Answer 22

event or series of events that adversely impact the ability of an organization to do
business. Suspected attack.

Question 23

Incident Response Lifecycle

Answer 23

Detection→Response→Mitigation→Reporting→Recovery→Remediation→Lessons Learned→cycle
back to respons

Question 24

RAID 0

Answer 24

Striped, one large disk out of several –Improved performance but no fault tolerance

Question 25

RAID 1

Answer 25

Mirrored drives – fault tolerance from disk errors and single disk failure, expensive;

Question 26

RAID 3

Answer 26

Striped on byte level with extra parity drive – Improved performance and fault tolerance, but
parity drive is a single point of failure and write intensive. 3 or more drives

Question 27

RAID4

Answer 27

Same as Raid 3 but striped on block level; 3 or more drives

Question 28

RAID 5

Answer 28

Striped on block level, parity distributed over all drives – requires all drives but one to be
present to operate hot-swappable. Interleave parity, recovery control; 3 or more drives

Question 29

RAID 6

Answer 29

Dual Parity, parity distributed over all drives – requires all drives but two to be present to
operate hot-swappable

Question 30

RAID 7

Answer 30

Is same as raid5 but all drives act as one single virtual disk

Question 31

Electronic vaulting

Answer 31

Transfer of backup data to an offsite storage location via communication lines

Question 32

Remote Journaling

Answer 32

Parallel processing of transactions to an alternative site via communication
lines

Question 33

Database shadowing

Answer 33

Live processing of remote journaling and creating duplicates of the database
sets to multiple servers

Question 34

Clearing Data

Answer 34

Overwriting media to be reused

Question 35

Purging

Answer 35

Degaussing or overwriting to be removed

Question 36

Desk Check

Answer 36

review plan contents

Question 37

Table-top exercise

Answer 37

Members of the disaster recovery team gather in a large conference room and roleplay a disaster scenario.

Question 38

Simulation tests

Answer 38

Are more comprehensive and may impact one or more noncritical business units of
the organization, all support personnel meet in a practice room

Question 39

Parallel tests

Answer 39

Involve relocating personnel to the alternate site and commencing operations there.
Critical systems are run at an alternate site, main site open also

Question 40

Full-interruption tests

Answer 40

Involve relocating personnel to the alternate site and shutting down operations
at the primary site.

Question 41

BCP Scope and plan initiation

Answer 41

Consider amount of work required, resources required,

management practice

Question 42

Business Continuity Plan development

Answer 42

1. Use BIA to develop BCP (strategy development phase bridges the gap between the
   business impact assessment and the continuity planning phases of BCP development)
2. Testing

Question 43

Plan approval and implementation

Answer 43

1. Management approval

2. Create awareness

Question 44

Warded lock

Answer 44

hanging lock with a key (padlock)

Question 45

Tumbler lock

Answer 45

cylinder slot

Question 46

Cipher Lock

Answer 46

Electrical

Question 47

Device lock

Answer 47

bolt down hardware

Question 48

Preset

Answer 48

ordinary door

lock

Question 49

Raking

Answer 49

circumvent a pin tumbler lock

Question 50

Entitlement

Answer 50

Refers to the amount of privileges granted to users, typically when first provisioning an
account. A user entitlement audit can detect when employees have excessive privileges

Question 51

Bind variables

Answer 51

Are placeholders for literal values in SQL query being sent to the database on a server. Bind variables in SQL used to enhance performance of a database