Domain 7 -- Security Operations

Question 1

Give a list of tasks that should be performed by the security admin, not the network admin.

Answer 1

• Implements and maintains security devices and SW
• Carries out security assessments
• Creates and maintains user profiles and implements and maintains access control mechanisms
• Configures and maintains security labels in mandatory access control (MAC) environments
• Manages password policies
• Reviews audit logs

Question 2

What kinds of questions do security admins need to ask themselves?

Answer 2

• Are users accessing information and peforming tasks that are not necessary for their job function?
• Are repetitive mistakes being made?
• Do too many users have rights and privileges to sensitive or restricted data or resources?
  *

Question 3

What is a clipping level?

Answer 3

A clipping level is a baseline for violation activities before the activity is considered suspicious

IDS systems normally track activities and behavior patterns

Question 4

Locks are considered _________ devices to intruders.

Answer 4

delaying

Question 5

What type of lock is a basic padlock?

Answer 5

A ward lock.

It has a spring loaded with a notch cut in

Question 6

What kind of lock has more pieces than a ward lock?

Answer 6

A tumbler lock

Question 7

What are the three types of tumbler locks and what’s the difference between them?

Answer 7

• The pin tumbler lock is the most common
• Wafer tumbler lock – the round kind normally found in filing cabinets
  
  • Does not afford much protection – easily circumvented
• Lever Tumbler lock

Question 8

What is a cipher lock?

Answer 8

A cipher lock is a programmable lock that are keyless and use keypads.

• Can require a card to be swiped or a combo to be entered
• More expensive, but more functionality

Question 9

What kinds of functionality is available on cipher locks?

Answer 9

• Door delay – alarm triggers if door is open for too long
• Key override – special combination can be enterred to over ride normal functions
• Master keying
• Hostage alarm

Question 10

What are two important things to remember to do with combination locks?

Answer 10

1. Change the combination periodically
2. use random combination sequences

Question 11

What are examples of device locks?

Answer 11

• Switch controls - cover on/off power switches
• Slot locks
• Port controls - blocks access to disk drives or unused serial or parallel ports
• Peripheral switch controls
• Cable traps (prevent removal of input/output devices by passing cables through a lockable unit

Question 12

What are the three grades of locks available?

Answer 12

• Grade 1 – Commercial and industrial light use
• Grade 2 – Heavy duty residential / light duty commercial
• Grade 3 – Residential consumer

Question 13

What are the three main categories of lock cylinders?

Answer 13

• Low security – No pick or drill resistance
• Medium security – some pick protection provided
• High security – pick resistance through many different mechanisms

Question 14

What are two techniques for circumventing tumbler locks and how do they work?

Answer 14

1. Raking –
2. Lock bumping
   
   • Need a bump key to make it work

Question 15

Exam Tip

What are Electronic Access Control (EAC) tokens?

Answer 15

• Generic term to describe proximity authentication devices
  
  • proximity readers
  • programmable locks
  • biomentric systems

Question 16

What are the goals of External Boundary Protection Mechanisms?

Answer 16

• Control pedestrian and vehicle traffic flow
• Various levels of protection for different security zones
• Buffers and delaying mechanisms to protect against forced entry attempts
• Limit and control entry points

Question 17

What controls can be used to provide external boundary protection?

Answer 17

• Access control mechanisms
  
  • locks, keys, card systems, personnel awareness
• Physical barriers
  
  • Fences, gates, walls, door windows, vents, vehicular barriers
• Intrusion detection
  
  • Perimeter sensors, interior sensors, annunciation mechanisms
• Response
  
  • Guards, local law enforcement
• Deterrents
  
  • Signs, lighting, environmental design

Question 18

Talk to me about fence height.

Answer 18

• 3-4 feet high only deter casual trespassers
• 6-7 feet high are considered too high to climb easily
• 8 feet high means that you are serious about protecting your property

Question 19

What is PIDAS Fencing?

Answer 19

It stands for Perimeter Intrusion Detectionand Assessment System (PIDAS)

• has sensors
• Can detect if a person attempts to climb or cut fence

Question 20

What is meant by glare protection for the security force?

Answer 20

It means that bright lights should be pointed towards the things that the guards have to observe (like gates) so that the security team is not fighting the light to do their job

Question 21

What is standby lighting

Answer 21

It is lighting that can be configured to turn on or off at various times to give the appearance that faicilities are occupied.

Question 22

What is an annunciator system?

Answer 22

They are products that can “listen” for noise or watch CCTV cameras or detect movement.

It makes it so the security guard doesn’t have to stare at a camera for 8 hours per day.

Question 23

What are the sorts of things that physical IDS can trigger on?

Answer 23

• Beams of light
• Sounds and vibrations
• Motion
• Different kinds of fields
  
  • microwave, ultrasonic, electrostatic
• Electrical circuit

Question 24

What are some of the most important things to keep in mind regarding Intrusion Detection systems?

Answer 24

• They are expensive and require human intervention
• Require redundanct power and emergency power backup
• They can be linked to a centralized security system
• They should have a failsafe configuration, which defaults to activiated
• They should detect and be resistant to tampering

Question 25

Exam Tip:

Because the use of guard dogs introduces significant risks to human safety, exam answers that include dogs are likely to be ___________.

Answer 25

incorrect

Question 26

Audit and access logs are ______________, not preventative.

Answer 26

detective

Question 27

What are examples of internal physical security controls?

Answer 27

• Work area separation
• Personnel badges that must be worn in the building
• Roving guards that look for violations and unauthorized personnel

Question 28

What’s the definition of provisioning for the CISSP exam?

Answer 28

• the set of all activities required to provide one or more new information services to a user or group of users.
• Provisioning must be done securely

Question 29

What’s the best way to track hardware to know that you’ve got everything you’re supposed to be tracking?

Answer 29

Get monitorying software that detects devices on the network.

Question 30

What are the key things to do in order to track software properly?

Answer 30

• Application whitelisting
• Using gold masters
• Enforcing the principle of least privilege
• Automated scanning

Question 31

What is the Asset Management Cycle?

Answer 31

• Business Case
• Acquisition
• Operation and Maintenance (O&M)
• Retirement

Question 32

What is configuration management as it relates to the CISSP exam?

Answer 32

Configuration managementis the process of establishing and maintaining consistent baselines on all of our systems

Question 33

What’s the difference between Change Management and Configuration Management?

Answer 33

Change management is a business process.

• concerned with changing features of system being developed
• IT and security people are not usually in charge of change management (though they are involved in it)

Configuration management is an operational process

• Example is how to configure software
• Information security usually leads in configuration management

Question 34

What are the steps in the Change Control Process?

Answer 34

• Request for a change to take place
• Approval of the change
• Documentation of the change
• Tested and presented
• Implementation
• Report Change to management

Question 35

What’s the difference between:

• System reboot
• Emergency system restart
• System cold start

Answer 35

• System reboot – takes place after the system shuts itself down in a controlled manner in response to a kernel failure
• Emergency system restart – takes place after a system failure happends in an uncontrolled manner
• System Cold Start – takes place when an unexpected kernel or media failure happends and the regular recovery procedure cannot recover the system to a more consistent state

Question 36

What are the three steps to take after a system crash?

Answer 36

1. Enter into single user or safe mode
2. Fix issue and recover files
3. Validate critical files and operations

Question 37

Name 4 things you should do while recovering a system

Answer 37

• Protect the boot sequence (C:, A:, D:) – make sure that a hacker can’t get the system to boot from a drive that you don’t want it to boot from
• Do not allow bypassing of writing actions to system logs
• Do not allow system forced shutdowns – only admins should have the ability to shut systems down.
• Do not allow outputs to be rerouted

Question 38

What are steps that should be part of any Change Control Policy?

Answer 38

• Request for a Change to take place
• Approval of the change
• Documentation of the Change
• Tested and Presented
• Implementation
• Report Change to management

Question 39

What is a critical element of any change plan?

Answer 39

A backout plan

Question 40

What’s the difference between:

• System reboot
• Emergency system restart
• System cold start

Answer 40

• System Reboot - Takes place after the system has shut itself down in a controlled manner in response to a kernel failure
• Emergency system restart- takes place after a system failure happens in an uncontrolled manner
• System Cold Start takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state

Question 41

What are some key guidelines for remote systems administration?

Answer 41

• Require a VPN connection protected with 2-factor authentication
• Commands and data should not take place in cleartext
• Strong authentication should be in place for any administrative activities
• Truly critical systems should be administered locally, rather than remotely
• Only a small number of administrators should be able to carry out remote functionality

Question 42

What’s the difference between MTBF and MTTF?

Answer 42

• MTBF - Mean Time Between Failures assumes that a device is repairable
• MTTF – Mean Time to Failure – means that the device is not repairable

Question 43

What does MAID stand for?

Answer 43

Massive Array of Inactive Disks

Similar idea to RAID, but with the intent to replace tape drives / tape libraries.

Disks spin up and are powered on only when needed.

Question 44

What does MSSP stand for?

Answer 44

Managed Security Services Provider

Question 45

What considerations should you consider before hiring an MSSP?

Answer 45

• Requirements
• Understanding
• Reputation
• Costing
• Liability

Question 46

What’s the difference between an event and an incident?

Answer 46

• An event is something that happened
• An incident is a negative thing that happened
• An incidednt is a type of event

Question 47

What are three types of Incident response teams?

Answer 47

• A virtual team. These are experts who have other duties, assighments, but who will be part of the incident response team in a crisis
• A permanent team – People who are dedicated strictly to incident response
• A hybrid team – hybrid of virtual and permanent.

Question 48

What are the basic items that an incident response team should have available?

Answer 48

• A list of outside agencies and resources to contact or report to
• An outline of roles and responsibilities
• A call tree to contact these roles and outside entities
• A list of computer or forensic experts to contact
• A list of steps to take to secure and preserve evidence
• A list of items that should be included in a report for management and potentially the courts
• A description of how the different systems should be treated in this type of situation

Question 49

What is CERT and how can you take advantage of it?

Answer 49

CERT stands for Computer Emergency Response Team

• CERT is an organization that is responsible for monitoring and advising users and companies about security preparation and security breaches.
• Members of a company’s incident response team should get on the mailing list to keep apprised of new issues and so they can spot malicious events

Question 50

What are the seven steps of the Cyber Kill Chain?

Answer 50

1. Reconnaissance
2. Weaponization
3. Delivery (95% of the time via email with a link to a malicious website)
4. Exploitation (attacker’s software is running in your organization)
5. Installation. Malicious software is usally delivered in stages
6. Command and Control – Most malware will phone home to let attackers know that the attack was successful
7. Actions on the Objective

As security professionals, we want to kill the attack as early as possible.

Question 51

What information should be reported for each security incident?

Answer 51

• Summary of incident
• Indicators
• Related incidents
• Actions taken
• Chain of custody of all evidence (if applicable)
• Impact assessment
• Identity and comments of incident handlers
• Next steps to be taken

Question 52

What are the key steps in Incident Response?

Answer 52

• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation – permanent solution to make sure it never happens again

Question 53

What is an IOC and IOA and give examples?

Answer 53

IOC stands for Indicator of Compromise

IOA stands for Indicator of Attack

Indicators of both:

• Outbound traffic to a particular IP address or domain name
• Abnormal DNS query patterns
• Unusually large HTTP requests and/or responses
• DDos traffic
• New Registry entries (in Windows systems)

Question 54

What questions should be asked to ensure that the organization learns from the incidents it encounters?

Answer 54

• What happened?
• What did we learn?
• How can we do better next time?

Question 55

What are key considerations re whether to bring law enforcement in regarding a security breach?

Answer 55

• Law enforcement agencies are good at investigation
• Company could lose control over where the investigation goes
• Secrecy of compromise is not promised. Could be part of public record
• Effects of reputation must be considered
• Evidence will be collected and may not be available for a long period of time. It may take a year or more to get it to court

Question 56

What is teh SWGDE and what are its principles?

Answer 56

It’s an organization that aims to ensure consistency across the forensics community. Principles:

1. When dealing wtih Digital evidence, all of the general forensic and procedural principles must be applied.
2. Upon the seizing of digital evidence, actions taken should not change that evidence
3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose
4. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review.
5. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
6. Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

Question 57

What does MOM stand for with respect to computer crime?

Answer 57

Motive, Opportunity, Means

Question 58

Motive is the _____ and ______ of a crime.

Answer 58

who and why

Question 59

What are the four different types of assessments Incident Investigators can do?

Answer 59

• Network Analysis
• Media Analysis
• Software analysis
• Hardware/embedded device analysis

Question 60

What are the four types of Incident Investigations and how are they different?

Answer 60

• Administrative – focused on policy violations (least impactful)
• Criminal – if we think that a crime may have been committed, then we need to preserve evidence and engage Law enforcement agencies (LEA’s)
• Civil – similar to legal, but law enforcement won’t be involved (just lawyers on both sides). Standard of proof is much lower for civil cases
• Regulatory – a regulatory investigation is initiated by a government regulator when there is reason to believe that an orginzation is not in compliance with applicable laws.
  
  • Company’s responsibility is to preserve evidence adn assist regulators as appropriate

Question 61

What are the key steps in the Forensic Investigation Process

Answer 61

• Identification
• Preservation
• Collection
• Examination
• Analysis
• Presentation
• Decision

Question 62

What are the key principles to keep in mind regarding the crime scene?

Answer 62

• Only allow authorized individuals onto the crime scene
• Document who is at the crime scene
• Document who the last individuals were to interact with the systems
• If the crime scene becomes contaminated, document it

Question 63

To prove the integrity of the evidence, it is important to create an _________ ___________ of the evidence

Answer 63

Message digest

Question 64

What are some of the key tools in a forensics toolkit?

Answer 64

• Documentation Tools
• Disassembly and removal tools
• Package and transport supplies

Question 65

What is a very important concept in evidence handling?

Answer 65

Chain of custody

Question 66

What are the four steps in the lifecycle of evidence?

Answer 66

• Collection and identification
• Storage, preservation and transportation
• Presentation in Court
• Return of evidence to the victim or owner

Question 67

Which amendment of the US Constitution protects Americans against unlawful search and seizure?

Answer 67

The Fourth Amendment

Question 68

What’s the difference between enticement and entrapment?

Answer 68

• Enticement is legal as usally done. Honeypots are enticement
• Entrapment would be if a user clicked on an ad and was taken to a honeypot which then recorded all of the suspected hackers actions

Question 69

What does WRT stand for in the context of Disaster Recovery?

Answer 69

WRT is Work Recovery Time

Question 70

What does MTD stand for in the context of Disaster Recovery?

Answer 70

Maximum Tolerable Downtime

Question 71

What’s the difference between:

• Nondisaster
• Disaster
• Catastrophe

Answer 71

• Nondisaster is a significant disruption in service, but is limited
• A disaster is an event that causes an entire facility to be unusable for a day or longer
• A catastrophe is a major disruption that destroys the facility altogether

Question 72

What’s a hot site?

Answer 72

• A facility that is leased or rented and is fully configured and ready to operate within a few hours
• The only missing resource is the data

Question 73

What is a warm site?

Answer 73

• A warm site is a leased or rented facility that is partially configured with some equipment, such as HVAC and foundational infrastructure components, but not actual computers
• Drawback is that you have to procure the equipment and then set it up.

Question 74

What is a cold site?

Answer 74

• A cold site is a leased or rented facility that supplies the basic environment, electrical wiring, AC, plumbing and flooring, but non of the equipment or additional services
• It could take weeks to get the site activated and ready to work.
• Least expensive option, but the most time consuming after the disaster

Question 75

What is a tertiary site?

Answer 75

• If there’s a danger of the main backup facility not being available, a tertiary site could be considered.
• Plan B if Plan A does not work out.

Question 76

What is a reciprocal agreement?

Answer 76

• Company A allows Company B to use its facilities in the event of a disaster and vice versa
• Not always the greatest idea. Lots of downsides
  
  • Security, operational, will it even work?

Question 77

How far away should the backup facility be for DR?

Answer 77

• Bare minimum 5 miles
• 15miles for low to medium critical environments
• 50 - 200 miles for critical operations and to protect against regional disasters

Question 78

What is a mutual aid agreement?

Answer 78

• It’s like a reciprocal agreement, except it has more than 2 parties.
• Even more complicated than reciprocal agreements

Question 79

What’s a redundant site?

Answer 79

• There is a second site that is equipped and configured just like the primary site.
• It is owned by the company
• It is a mirror of the main site
• It is different from a hot site because a hot site is a subscription service, whereas a redundant site is owned by the company

Question 80

What’s a rolling hot site?

Answer 80

• Large truck or trailer that can be transported easily to a location. Loaded with equipment
• aka mobile site

Question 81

What is a software escrow agreement?

Answer 81

• A third party holds the source code, backups of compiled code, manuals and other supporting materials
• Gives customer access to source code only if and when the vendor goes out of business, is unable to carry out its responsibilites or is in breach of the contract

Question 82

What’s the difference between a differential backup and an incremental backup?

Answer 82

• Differential backup is a backup of everthing since the last full backup
• Incremental backup is a backup of everything since the last full or incremental backup.
• Disadvantage is that if you need to recover you need to get the last full backup, plus every intervening incremental backup.

Question 83

What is electronic vaulting?

Answer 83

• Electronic vaulting is making copies of files as they are modified and periodically transmits them to an offsite backup site.
• Does not happen in real-time, but is carried out in batches

Question 84

What is remote journaling?

Answer 84

• Moving the journal (aka transaction logs) to a remote site, rather than the actual files
• Used for database recovery, where the trans can be replayed.
• Exam tip – remote journaling takes place in real-time and transmits only file delta’s . By comparison, electronic vaulting takes place in batches and moves the entire file that has been updated.

Question 85

What is electronic tape vaulting?

Answer 85

Electronic tape vaulting transmits data over a network to tape devices located in the alternate data center.

Question 86

What is an important part of DR that is dreaded by most people?

Answer 86

Documentation

Question 87

What is proximate cause?

Answer 87

Proximate cause is an act or omission that naturally and directly produces a consequence.

Question 88

What should be considered to fill the gap between preventive countermeasures and the unexpected?

Answer 88

Insurance

Cyber insurance to protect against DOS attachks, malware damages, electronic theft, privacy lawsuits, etc.

Businesness interruption insurance if the company is out of business for a certain amount of time.

Question 89

What are some of the key teams needed for a DR plan?

Answer 89

• Damage assessment team
• Recovery team
• Relocation team
• Restoration team
• Salvage team
• Security team

Question 90

What does the DR assessment team do?

Answer 90

• Determine the cause of the disaster
• Determine the potential for further damage
• Identify affected business functions and areas
• Identify the level of functionality for the critical resources
• Identify the resources that must be replaced immediately
• Estimate how long it will take to bring critical functions back on line
• If it will take longer than the estimated MTD, then a disaster should be declared and the BCP should be put into action

Question 91

In a disaster, what is the top priority?

Answer 91

Human safety

Question 92

What are the four requirements for evidence to be admissible in court?

Answer 92

1. Relevant
2. Complete
3. Sufficient
4. Reliable

Question 93

An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organization?

Answer 93

No access

Question 94

What is a primary benefit of job rotation and separation of duties policies?

Answer 94

Preventing fraud

Question 95

Which of the following can be an effective method of configuration management using a baseline?

Answer 95

Using images

Question 96

Which of the following is the best response after detecting and verifying an incident?

Answer 96

Containment is the first step after detecting and verifying an incident. This limits the effect or scope of an incident. Organizations report the incident based on policies and governing laws, but this is not the first step.

Question 97

Which of the following would security personnel do during the remediation stage of an incident response?

Answer 97

Security personnel perform a root cause analysis during the remediation stage. A root cause analysis attempts to discover the source of the problem.

Question 98

Of the following choices, what is the best form of anti-malware protection?

Answer 98

Anti-malware protection at several locations

A multipronged approach provides the best solution. This involves having antimalware software at several locations, such as at the boundary between the internet and the internal network, at email servers, and on each system. More than one antimalware application on a single system isn’t recommended. A single solution for the whole organization is often ineffective because malware can get into the network in more than one way. Content filtering at border gateways (boundary between the internet and the internal network) is a good partial solution, but it won’t catch malware brought in through other methods.

Question 99

What can be used to reduce the amount of logged or audited data using nonstatistical methods?

Answer 99

Clipping levels

Clipping is a form of nonstatistical sampling that reduces the amount of logged data based on a clipping-level threshold. Sampling is a statistical method that extracts meaningful data from audit logs.

Question 100

What is the end goal of disaster recovery planning?

Answer 100

Restoring normal business activity

Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off.

Question 101

According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a moderate risk of seismic activity?

Answer 101

80 percent

Forty-one of the 50 U.S. states are considered to have a moderate, high, or very high risk of seismic activity. This rounds to 80 percent to provide the value given in option D.

Question 102

What is the typical time estimate to activate a warm site from the time a disaster is declared?

Answer 102

12 hours

Question 103

What is the main purpose of a military and intelligence attack?

Answer 103

To obtain secret and restricted information from military or law enforcement sources

A military and intelligence attack is targeted at the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.

Question 104

What’s the main goal of a financial attack?

Answer 104

A financial attack focuses primarily on obtaining services and funds illegally.

Question 105

What’s the goal of a grudge attack?

Answer 105

Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to “get back” at someone.

Question 106

What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.)

Answer 106

• Bragging rights
• Pride of conquering a secure system

Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

Question 107

According to the (ISC)2 Code of Ethics, how are CISSPs expected to act?

Answer 107

1. Honorably,
2. honestly,
3. justly,
4. responsibly
5. legally

Question 108

Which of the following actions are considered unacceptable and unethical according to RFC 1087, “Ethics and the Internet”?

Answer 108

Only “actions that compromise the privacy of users” are explicitly identified in RFC 1087.