Domain 7: Security Operations

Question 1

Process at an incident scene

Answer 1

Ensure you identify the scene, protect the environment, identify evidence and potential sources of evidence, collect evidence (hash) and minimise the degree of contamination

Question 2

Locard’s Exchange Principle

Answer 2

Perpetrator of a crime will bring something into the crime scene and leave with something from it

Question 3

Sufficient: Evidence

Answer 3

Persuasive enough to convince one of its validity

Question 4

Reliable: Evidence

Answer 4

Consistent with fact, evidence has not been tampered with or modified

Question 5

Relevant: Evidence

Answer 5

Relationship to the findings must be reasonable and sensible, proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts

Question 6

Permissible: Evidence

Answer 6

Lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions

Question 7

Techniques to Identify Evidence

Answer 7

Labeling, recording serial number. Evidence must be preserved and identifiable.

Question 8

Evidence lifecycle

Answer 8

1. Discovery
2. Protection
3. Recording
4. Collection and identification
5. Analysis
6. Storage, preservation, transportation
7. Present in court
8. Return to owner

Witnesses that evidence is trustworthy, description of procedures, normal business methods collections, error precaution and correction

Question 9

Best Evidence

Answer 9

Primary evidence is used at the trial because it is the most reliable. Original documents are used to document things such as contracts. This means NO COPIES. Further, oral evidence is not the best evidence, however, it can be used for interpretation of documents.

Question 10

Secondary Evidence

Answer 10

Not as strong as best evidence, a copy is not permitted if the original is available. Further examples include, oral evidence like Witness testimony.

Question 11

Direct Evidence

Answer 11

Can prove fact by itself and does not need any type of backup. Testimony from a witness - one of their five senses. Oral evidence is a type of secondary evidence so the case can’t simply stand on it alone. But it is Direct Evidence and does not need other evidence to substantiate.

Question 12

Conclusive Evidence

Answer 12

Irrefutable and cannot be contradicted. Requires no other corroboration.

Question 13

Circumstantial Evidence

Answer 13

Used to help assume another fact, however, cannot stand on its own to directly prove a fact

Question 14

Corroborative Evidence

Answer 14

Supports or substantiates other evidence presented in a case

Question 15

Hearsay Evidence

Answer 15

Something a witness hears another one say. Also business records are hearsay and all that’s printed or displayed. One exception to business records: audit trails and business records are not considered hearsay when the documents are created in the normal course of business.

Question 16

Interviewing

Answer 16

Gather facts and determine the substance of the case

Question 17

Interrogation

Answer 17

Evidence retrieval method, ultimately obtain a confession

Question 18

The process - Due Care

Answer 18

• Prepare questions and topics, put witness at ease, summarise information - interview/interrogation plan
• Have one person as lead and 1-2 others involved aswell
• Never interrogate or interview alone

Question 19

Opinion Rule

Answer 19

Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case

Question 20

Expert Witnesses

Answer 20

Used to educate the jury, can be used as evidence

Question 21

Six Principles of Digital Evidence

Answer 21

1. Ensure you apply all of the general forensic and procedural principles
2. Upon seizing digital evidence, ensure evidence is not changed
3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose
4. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review
5. An individual is responsible for all actions taken to the digital evidence while it is in their possession
6. Any agency seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

Question 22

Media Analysis

Answer 22

Involves the identification and extraction of information from storage media, such as hard disks and RAM. This may include recovery of deleted files or static analysis of forensic images of storage media.

Question 23

Network Analysis

Answer 23

Analysis of network activity, such as network logs, packet captures. Focus is on collecting and correlating information from these disparate sources and produce as comprehensive a picture of network activity as possible.

Question 24

Hardware/Embedded Device Analysis

Answer 24

Review the contents of hardware and embedded devices, such as phones and laptops.

Question 25

Admissible Evidence

Answer 25

1. Evidence must be relevant to determining a fact
2. The fact that the evidence seeks to determine must be material (that is, related) to the case
3. The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

Question 26

Five rules of Evidence

Answer 26

1. Be authentic; evidence tied back to scene
2. Be accurate; maintain authenticity and veracity
3. Be complete; all evidence collected, for and against view
4. Be convincing; clear and easy to understand for jury
5. Be admissible; be able to be used in court

Question 27

Forensic Disk Controller

Answer 27

Intercepting and modifying or discarding commands sent to the storage device. This includes:

• Write blocking, intercepting write commands sent to the device and prevents them from modifying data on the device
• Return data requested by a read operation
• Returning access-significant information from device
• Reporting errors from device to forensic host

Question 28

MOM: Investigation

Answer 28

Means, opportunity and motive. Determine suspects

Question 29

Victimology

Answer 29

Why certain people are victims of crime and how lifestyle affects the changes that a certain person will fall victim to a crime investigation

Question 30

Types of Investigation

Answer 30

• Operational
• Criminal
• Civil
• eDiscovery

Question 31

Slack space

Answer 31

Slack space on a disk should be inspected for hidden data and should be included in a disk image

Question 32

Common Law

Answer 32

Used in USA, UK, Australia and Canada (judges)

Question 33

Civil Law

Answer 33

Europe, South America

Question 34

Islamite and other Religious Laws

Answer 34

Middle East, Africa and Indonesia

Question 35

USA’s 3 Branches of Law

Answer 35

1. Legislative: writing laws (statutory laws)
2. Executive: enforces laws (administrative laws)
3. Judicial: interprets laws (makes common laws out of court decisions)

Question 36

3 Categories of Laws

Answer 36

1. Criminal Law
2. Civil Law
3. Administrative/Regulatory Laws

Question 37

Criminal Law

Answer 37

Individuals that violate Government laws. Punishment is typically imprisonment

Question 38

Civil Law

Answer 38

Wrongs against individual or organisation that result in a damage or loss. Punishment can include financial penalties. AKA tort law where jury decides liability

Question 39

Administrative/Regulatory Laws

Answer 39

How the industries, organisations and officers have to act. Wrongs can be penalised with imprisonment or financial penalties.

Question 40

Uniform Computer Information Transactions Act (UCITA)

Answer 40

Federal law which provides common framework for conduct of computer related business transactions. Provides basis for software licensing.

Question 41

Types of computer crime

Answer 41

1. Unauthorised intrusion
2. Unauthorised alteration or destruction
3. Malicious code

Question 42

Enticement

Answer 42

is the legal action of luring an intruder, like in a honeypot.

Question 43

Entrapment

Answer 43

Is the illegal act of inducing a crime, the individual had no intent of committing the crime at first

Question 44

Federal Sentencing Guidelines

Answer 44

Provides judges and courts procedures on the prevention, detection and reporting

Question 45

Purpose of Security Incident and Event Management (SIEM)

Answer 45

Automating much of the routine work of log review. Provide real-time analysis of events occurring on systems throughout an organisation but don’t necessarily scan outgoing traffic

Question 46

Intrusion

Answer 46

Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organisation’s resources

Question 47

Intrusion Detection

Answer 47

Monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion

Question 48

IDS

Answer 48

Intrusion detection system automates inspection of logs and real-time system events to detect intrusion attempts and system failures

Question 49

IPS

Answer 49

Intrusion prevention system includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions.

Question 50

DLP

Answer 50

Data Loss Prevention systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns.

Question 51

Network Based DLP

Answer 51

Scans all outgoing data looking for specific data. Administrators would place it on the edge of the network to scan all data leaving the organisation. The system will scan, block and alert if a file was leaving the system.

Question 52

Endpoint Based DLP

Answer 52

Can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organisation endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer

Question 53

3 States of Information

Answer 53

1. Data at Rest (storage)
2. Data in Transit (moving through network)
3. Data being processed (must be decrypted) / in use / end-point

Question 54

Configuration item (CI)

Answer 54

Component whose state is recorded. Version: recorded state of the CI

Question 55

Configuration

Answer 55

Collection of component CI’s that make another CI

Question 56

Building

Answer 56

Assembling a version of a CI using component CI’s

Question 57

Build list

Answer 57

Set of versions of component CI’s used to build a CI software library

Question 58

CI Software Library

Answer 58

Controlled area only accessible for approved users

Question 59

Artifacts

Answer 59

Configuration Management

Question 60

Recovery Procedures

Answer 60

System should restart in secure mode, startup should occur in maintenance mode that permits access only by privileged users from privileged terminals

Question 61

Fault-tolerant

Answer 61

Systems continue to function despite failure

Question 62

Fail safe system

Answer 62

Program execution is terminated and system protected from compromise when hardware or software failure occurs

Question 63

Fail Closed/secure

Answer 63

Most conservative from a security perspective. Denies all further access.

Question 64

Fail Open

Answer 64

Permits all access

Question 65

Fail Hard

Answer 65

Such as BSOD, where human intervention to see why it failed is required

Question 66

Fail soft or resilient system

Answer 66

Reboot, selected, non-critical processing is terminated when failure occurs

Question 67

Failover

Answer 67

Switches to hot backup

Question 68

Fail Safe

Answer 68

Doors UNLOCK

Question 69

Fail Secure

Answer 69

Doors LOCK

Question 70

Trusted Path

Answer 70

Protected data between users and a security component. Channel established with strict standards to allow necessary communication to occur without exposing the TCB to security vulnerabilities. A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB interchange. This is the only way to cross security boundary appropriately.

Question 71

Events

Answer 71

Anything that happens. Can be documented, verified and analysed

Question 72

Incident

Answer 72

Event or series of events that adversely impact the ability of the organisation to do business.

Question 73

Security Incident

Answer 73

This could be a suspected attack.

Question 74

Security Intrusion

Answer 74

Evidence attacker attempted or gained access

Question 75

Lifecycle of incident

Answer 75

1. Detection
2. Response
3. Mitigation
4. Reporting
5. Recovery
6. Remediation
7. Lessons Learned

It is all about response capability (policy, procedures a team) –> incident response and handling (triage, investigation, containment, and analysis of and tracking) –> Recovery (recovery/repair), –> debriefing/feedback (external communications) –> Mitigation: limit the effect or scope of an incident

Question 76

RCA

Answer 76

Tree/Boolean - Fault Tree Analysis, such as:

• 5Ways
• Failure Mode and Effects Analysis
• Pareto Analysis
• Fault Tree Analysis
• Cause Mapping

Question 77

HIDS: Firewalls

Answer 77

Host Based IDS, monitors activity on a single computer, including process calls and information recorded in firewall logs. Can examine events in more detail than NIDS. Benefits of HIDS include that it can detect anomalised on the host system that NIDS cannot detect

Question 78

NIDS: Firewalls

Answer 78

Network based IDS, monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details.

Question 79

Full: Backup Type

Answer 79

All files, archieve bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming

Question 80

Incremental: Backup Type

Answer 80

Only backups modified files, archieve bit cleared. Advantage: least time and space, Disadvantage: first restore full then all incremental backups, thus less reliable because it depends on more components

Question 81

Differential: Backup Type

Answer 81

Backups only modified files, doesn’t clear archive bit. Advantage: full and only last difference needed, intermediate time between full and diff

Question 82

Redundant Servers

Answer 82

Applies RAID 1 mirroring concept to servers. On error servers can do a fail-over. This AKA server fault tolerance

Question 83

Server clustering

Answer 83

Group of independent servers which are managed as a single system. All servers are online and take part in processing service requests. Individual computing devices on a cluster vs. a grid system - cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem

Question 84

Tape Rotation Schemes

Answer 84

Grandfather/Father/Son, Tower of Hanoi, Six Cartridge Weekly

Question 85

RAIT

Answer 85

Robotic mechanisms to transfer tapes between storage and drive mechanisms

Question 86

Mutual Aid Agreement: DRP

Answer 86

Arrangement with another similar corporation to take over processes. Advantage: cheap, disadvantage, must be exact same, is there enough capability, only for short term, and what if disaster affects both corporations. Is not enforceable.

Question 87

Subscription Service

Answer 87

Third party, commercial services provide alternate backups and processing facilities. Most common of implementaitons.

Question 88

Redundant Site

Answer 88

Mirrored site, potential 0 downtime

Question 89

Hot Site - Internal/External

Answer 89

Fully configured computer facility. All applications are installed, up-to-date mirror of the production system. For extremely urgent critical transaction processing. Advantage: 24/7 availability and exclusive use are assured. Disadvantage: Very costly

Question 90

Warm Site

Answer 90

Cross between hot and cold site. The computer facility is available but the applications may not be installed or need to be configured. External connections and other data elements that take log time to order are present. Advantages: less costly, however, disadvantages include: more time to setup (could be 12 hours).

Question 91

Cold Site

Answer 91

Least ready but most commonly used. Has no hardware installed only power and HVAC. Advantage: cheap, however, disadvantages include: very lengthy time of restoration.

Question 92

Service Bureau

Answer 92

Contract with a service bureau to fully provide alternate backup processing services. Advantage: quick response and availability.

Question 93

Multiple Centres (AKA Dual Sites)

Answer 93

Processing is spread over several computer centres. Can be managed by same corporation (in-house) or with another organisation (reciprocal agreement). Advantage: costs, multiple sites will share resources and support. Disadvantage: a major disaster could affect both sites; multiple configurations have to be administrered.

Question 94

Other data centre backup alternatives

Answer 94

1. Rolling/mobile sites: mobile homes or HVAC trucks. Could be considered a cold site.
2. In-house or external: Supply of hardware replacements. Stock of hardware either onsite or with a vendor. May be acceptable for warm site but not for hot site.

Question 95

Prefabricated Buildings

Answer 95

A very cold site

Question 96

RTO

Answer 96

Recovery Time Objectives. Refers to business processes, not hardware.

Hot Site RTO: In minutes or hours
Warm Site RTO: 1-2 days
Mobile Site RTO: 3-5 Days
Cold Site: RTO 1-2 weeks

Question 97

RAID 0: Striped

Answer 97

One large disk out of several physical disk. Improved performance but no fault tolerance

Question 98

RAID 1: Mirrored

Answer 98

Mirrored drives. Fault tolerance from disk errors and single disk failure. Expensive, and offers redundancy only, with no improvement to speed.

Question 99

RAID 2

Answer 99

Not used commercially. Hammering code parity/error

Question 100

RAID 3

Answer 100

Striped on a byte level with extra parity drive - improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives

Question 101

RAID 4

Answer 101

Same as RAID 3 but striped on a block level. 3 or more drives

Question 102

RAID 5

Answer 102

Striped on block level, parity distributed over all drives - requires all drives but one to be present to operate hot swappable. Interleave parity

Question 103

RAID 6

Answer 103

Dual Parity, parity distributed overall drives. Requires all drives but two to be present to operate hot-swappable drives.

Question 104

RAID 7

Answer 104

Same as RAID 5 but all drives act as one single virtual disk

Question 105

Tape: Storage Media

Answer 105

Sequential, slow read, fast write (200GB an hour), historically cheaper than disk (now changing), robotic libraries

Question 106

Disk: Storage Media

Answer 106

Fast read/write, less robust than tape

Question 107

Optical Drive

Answer 107

CD/DVD. Inexpensive

Question 108

MTTF

Answer 108

Mean Time to Failure

Question 109

MTTR

Answer 109

Mean Time to Repair

Question 110

MTBF

Answer 110

Mean Time between Failures (Useful Life) = MTTF + MTTR

Question 111

JBOD

Answer 111

Most basic type of storage

Question 112

Electronic Vaulting

Answer 112

Transfer of backup data to an offsite storage location via communication lines

Question 113

Remote Journaling

Answer 113

Parallel processing of transactions to an alternative site via communication lines

Question 114

Database Shadowing

Answer 114

Live processing of remote journaling and creating duplicates of the database sets to multiple servers

Question 115

Object Reise

Answer 115

Use after initial use

Question 116

Data Remanence

Answer 116

Remaining data after erasure. Format magnetic media 7 times (orange book)

Question 117

Clearing

Answer 117

Overwriting media to be reused

Question 118

Purging

Answer 118

Degaussing or overwriting to be removed

Question 119

Destruction

Answer 119

Completely destroy preferably by burning

Question 120

End Goal: DRP

Answer 120

Restore normal business operations.

Question 121

Statement of Actions

Answer 121

Actions that have to be taken before, during and after a disruptive event that causes a singificant loss

Question 122

Information Goal

Answer 122

Provide organised way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster

Question 123

Disaster

Answer 123

Any event, natural or manmade, that can disrupt normal IT operations. A disaster is not over until all operations have been returned to their normal location and function. It will be officially over when the data has been verified at the primary site, as accurate

Question 124

Recovery Team: DRP Teams

Answer 124

Mandated to implement recovery after the declaration of the disaster

Question 125

Salvage Team

Answer 125

Goes back to the primary site to bring normal processing environmental conditions. Clean, repair, salvage. Can declare when primary site is available again.

Question 126

Normal Operations Resume Plan

Answer 126

Has all procedures on how the company will return processing from the alternate site

Question 127

Other recovery issues

Answer 127

Interfacing with other groups: everyone outside the corporation.
Employee relations: responsibility towards employees and families
Fraud and crime: like vandalism, looting and people grabbing the opportunity

Question 128

DRP Key Points

Answer 128

• Make sure to get communications up first, then most critical business functions
• Documenting the plan
• Activation and recovery procedures
• Plan management
• HR involvement
• Costs
• Required documentation
• Internal/external communications
• Detailed Plans by team members

Question 129

Desk Check: DRP Test

Answer 129

Deskcheck simply reviews the plans contents on paper

Question 130

Table-top Exercise

Answer 130

Members of the DRP team gather in a large conference room and role-play a disaster scenario

Question 131

Simulation Tests

Answer 131

More comprehensive and may impact one or more noncritical business units of the organisation, all support personnel meet in a practice room

Question 132

Parallel Tests

Answer 132

Involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also

Question 133

Full-interruption tests

Answer 133

Involve relocating personnel to the alternate site and shutting down operations at the primary site

Question 134

BCP

Answer 134

Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

Question 135

BCP Process

Answer 135

1. Scope and Plan Initiation: consider amount of work required, resources required, management practice
2. BIA: helps to understand impact of disruptive processes
3. BCP Development: Use BIA to develop BCP (strategy development phase bridges the gap between the BIA and the continuity planning phases of BCP development). Also includes testing of BCP.
4. Plan approval and implementation: Management approval, and creating awareness

Question 136

BCP Testing Frequency

Answer 136

Should be atleast once a year

Question 137

DRP vs BCP

Answer 137

DRP has a heavy IT focus, allows the execution of the BCP, needs planning and testing

Question 138

BCP Development

Answer 138

Is about defining the continuity strategy. Computing strategy to preserve the elements of hardware/software/communication lines/applications/data

Question 139

Facilities

Answer 139

Use of main buildings or remote facilities

Question 140

People

Answer 140

Operators, management, technical support persons

Question 141

Supplies and equipment

Answer 141

Paper, HVAC

Question 142

BCP Committee: Roles and Responsibilities

Answer 142

• Senior Staff (ultimate responsibility, due care/diligence)
• Various business units (identify and prioritise time critical systems)
• Information Systems
• Security Administrator
• People who will carry out the plan (execute)
• Representatives from all departments

Question 143

CCTV

Answer 143

Enables you to compare the audit trails and access logs with a visual recording. Attacks include: replay attacks. Recording = detective control

Question 144

Glare Protection: Lighting

Answer 144

Against blinding by lights

Question 145

Continuous Lighting

Answer 145

Evenly distributed lighting

Question 146

Standby Lighting

Answer 146

Timers

Question 147

Responsive Areas Illumination

Answer 147

IDS detects activities and turns on lighting

Question 148

NIST guidance on lighting

Answer 148

For critical areas the area should be illuminated 8 feet in height with 2 foot candle power

Question 149

Fences: Guidance

Answer 149

Small mesh and high gauge is most secure.
3-4 feet deters casual trespasser
6-7 feet too hard to climb easily
8 feet + wires deters intruders, and difficult to climb
However, no one STOPS a determined intruder

Question 150

Local Alarms

Answer 150

Audible alarm for at least 4000 feet far

Question 151

Central Stations

Answer 151

Less than 10 minutes travel time for a private security firm

Question 152

Proprietary Systems

Answer 152

Owned and operated by the customer. System provides many of the features in-house

Question 153

Auxiliary Station Systems

Answer 153

On alarm ring out to lcoal fire or police

Question 154

Line supervision check

Answer 154

If no tampering is done with the alarm wires

Question 155

Power supplies

Answer 155

Alarm systems needs separate circuitry and backup power

Question 156

Electromechanical: Physical Perimeter Detection

Answer 156

Detect a break or change in a circuit magenets pulled lose, wire door, pressure pads

Question 157

Photoelectric

Answer 157

Light beams interrupted (such as in store entrance)

Question 158

Passive Infrared

Answer 158

Detects changes in temperature

Question 159

Acoustical Detection

Answer 159

Microphones, vibrations sensors

Question 160

Wave Pattern Motion Detecters

Answer 160

Detects motions

Question 161

Proximity or Capcitance Detector

Answer 161

Magnetic field detects presence around an object

Question 162

Warded lock

Answer 162

Hanging lock with a key

Question 163

Tumbler lock

Answer 163

Cylinder slot

Question 164

Combination lock

Answer 164

3 digits with wheels

Question 165

Cipher Lock

Answer 165

Electrical lock

Question 166

Device Lock

Answer 166

Bolt down hardware

Question 167

Preset Lock

Answer 167

Ordinary door lock

Question 168

Programmable Lock

Answer 168

Combination or electrical lock

Question 169

Raking

Answer 169

Circumvent a pin tumbler lock

Question 170

Audit Trails

Answer 170

Ensure to collect date and time stamps, successful or not attempt, where the access was granted, who granted access, and who modified access privileges at supervisor level

Question 171

Photo ID Card

Answer 171

Dumb digital coded ID cards, such as swipe cards and smartcards

Question 172

Wireless Proximity CArds

Answer 172

User activated, system sensing. These can be passive or field powered.

Question 173

Passive, Field Powered and Transponders

Answer 173

Passive: no battery, uses power of the field
Field Powered: active electronics, transmitter but gets power form the surrounding field from the reader.
Transponders; Both card and receiver holds power, transmitter and electronics

Question 174

Trusted Recovery

Answer 174

Ensures that the security is not breached when a system crash or failure occurs. only required for B3 and A1 level systems.

Question 175

Failure Preperation

Answer 175

Backup critical information thus enabling data recovery.

Question 176

System recovery after a system crash

Answer 176

1. Rebooting system in single user mode or recovery console, so no user access is enabled
2. Recovering all file systems that were active during failure
3. Restoring missing or damaged files
4. Recovering the required security characteristic, such as file security labels
5. Checking security-critical files such as system password file

Question 177

Manual: Reocvery Type

Answer 177

System admin intervention is required to return the system to a secure state

Question 178

Automatic: Recovery type

Answer 178

Recovery to a secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures)

Question 179

Automatic without Undo Loss: Recovery Type

Answer 179

Higher level of recovery defining prevention against the undue loss of protected objects

Question 180

Function: Recovery Type

Answer 180

System can restore functional processes automatically

Question 181

System Reboot: Types of System Failure

Answer 181

System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources

Question 182

Emergency Restart: Types of System Failure

Answer 182

when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments

Question 183

System Cold Start: Types of System Failure

Answer 183

When an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.

Question 184

Hackers and crackers: Types of Attackers

Answer 184

Want to verify their skills as intruders

Question 185

Entitlement

Answer 185

Refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges.

Question 186

Aggregation

Answer 186

Privilege creep, accumulate privilege

Question 187

Hypervisor

Answer 187

Software component that manages the virtual components. The hypervisor adds an additional attack surface, so its important to ensure it is deployed in a secure state and kept up-to-date with patches, controls access to physical resources

Question 188

Exigent circumstances

Answer 188

Allows officials to seize evidence before it is destroyed. Police is called in.

Question 189

Data haven

Answer 189

Is a country or location has no laws or poorly enforced laws

Question 190

Chain of custody

Answer 190

Collection, analysis and preservation of data. Forensics uses bit-level copy of the disk

Question 191

Darknet

Answer 191

Unused network space that may detect unauthorised activity

Question 192

Pseduo Flaw

Answer 192

False vulnerability in a system that may attract an attacker

Question 193

Fair information practices

Answer 193

Openness, collection limitation, purpose specification, use limitation, data quality, individual participation, security safeguards, and accountability.

Question 194

Noise and perturbation

Answer 194

Inserting bogus information to hope to mislead an attacker

Question 195

First step of change process

Answer 195

Management approval. When a question is about processes, there must always be management’s approval as first step

Question 196

Prototyping

Answer 196

Customer view taken into account

Question 197

SQL - SUDIGR

Answer 197

6 basic SQL commands: Select, Update, Delete, Insert, Grant, Revoke

Question 198

Bind Variables

Answer 198

Placeholders for literal values in SQL query being sent to the database on a server. Bind variables in SQL used to enhance performance of a database

Question 199

Gantt and PERT Charts

Answer 199

Project management and monitor progress and planning of projects

Question 200

Piggybacking

Answer 200

Looking over someone’s shoulder to see how someone gets access

Question 201

Datacentre Secure Feautres

Answer 201

Walls from floor to ceiling, concrete floor slab of 150 pounds per square foot, no windows, and air conditioning should have own emergency power off

Question 202

Electronic Access Control (EAC)

Answer 202

Proximity readers, programmable locks or biometric systems

Question 203

CPTED Crime Prevention Through Environmental Design

Answer 203

Natural access control: guidance of people by doors, fences bollards lighting. Secure zones defined.

• Natural surveillance: cameras and guards
• Territorial Reinforcements: walls, fences, flags
• Hardening: focus on locks, cameras, guards

Question 204

Facility site

Answer 204

Core of building (thus with 6 stores, on 3rd floor)

Question 205

Hacktivists

Answer 205

Combination of hacker and activist, often combine political motivations with the thrill of hacking

Question 206

Thrill attacks

Answer 206

Attacks launched only for the fun of it. Pride, bragging rights

Question 207

Script kiddies

Answer 207

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them, such as website defacements

Question 208

Business attacks

Answer 208

Focus on illegally obtaining an organisation’s confidential information

Question 209

Financial attacks

Answer 209

Carried out to unlawfully obtain money or services

Question 210

Terrorist Attacks

Answer 210

Purpose of a terrorist attack is to disrupt normal life and instill fear

Question 211

Military or inteliigence attack

Answer 211

Designed to extract secret information

Question 212

Grudge attacks

Answer 212

Attacks that are carried out to damage an organisation or a person.

Question 213

Sabotage

Answer 213

Criminal act of destruction or disruption committed against an organisation by an employee.

Question 214

Espionage

Answer 214

Malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organisation. Countermeasures include: strict access control measures to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

Question 215

Integrity breaches

Answer 215

Unauthorised modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances

Question 216

Confidentiality breaches

Answer 216

Theft of sensitive information