Domain 7 - Security Operations

Question 1

The following represent what?

1. Administrative
2. Criminal
3. Civil
4. Regulatory - Gov Agency Investigation
5. Industry Standards - Electronic Discovery

Answer 1

Investigation types

Question 2

The following is what in regards to Forensics Techniques / evidence?

1. must be relevant to determining fact
2. the fact must be material relevant to the case
3. must be competent, must have obtained legally

Answer 2

admissible evidence

Question 3

What are the three types of evidence that can be used in a court of law?

Answer 3

1. Real Evidence - Physical items that are brought into court and can be seen/examined
2. Documentary Evidence - Written items brought into court to prove a face about the case
   Best Evidence Rule
   Parol Evidence Rule
3. Testimonial Evidence - Testimony of a witness
   Direct
   Expert
   Hearsay

Question 4

Documents the evidence lift cycle from discovery and collection through analysis and storage to reporting and presentation.

Answer 4

Chain of Evidence

a. general description
b. time and date
c. exact location
d. name of the person collecting evidence
e. relevant circumstances surrounding collection

Question 5

What do the following steps represent in regards to Investigations?

1. Call in Law Enforcement
2. Gather evidence
3. Conduct Investigation
4. Interview Individuals
5. Report on and document Investigation

Answer 5

Investigative Process

Question 6

TRUE / FALSE

IDS = PASSIVE
IPS = ACTIVE

Answer 6

TRUE

IPS has the ability to take action such as re configuring a firewall to block a threat. IDS can only send alerts which doesn’t qualify as taking action.

Question 7

Ensures no single person has total control

Answer 7

Separation of duties

Question 8

Applies concept of least privilege to applications and processes

Answer 8

Separation of privileges

Question 9

Separation of duties + least privilege

Designated to guard against excessive system access to prevent conflicts of interest

Answer 9

Segregation of Duties

Question 10

Activity requires the approval of two people to be carried out

Answer 10

Two Person Control (Rule)

Question 11

Separation of Duties + Two Person Rule

Answer 11

Split-Knowledge

Question 12

Move people through various jobs / tasks to spread knowledge & responsibility

a. mandatory vacations

Answer 12

Job Rotation

Mandatory Vacations classified as a form of Job Rotation

Question 13

What do the following represent?

a. Create of Capture
b. Classification
c. Storage
d. usage
e. archive
f. Destruction or purging

Answer 13

Information Lifecycle Phases

Question 14

Document describing the level of service expected by a customer

Answer 14

SLA - Service Level Agreement

OLA - Internal facing SLAs. (Example: IT and Sales)

Examples:
MOU - Memorandum of Understanding
ISA - Interconnection Security Agreement

Question 15

What do the following steps represent?

1. Detection
2. Response
3. Mitigation
4. Reporting
5. Recovery
6. Remediation
7. Lessons Learned

Answer 15

Incident Response Process

Question 16

Mantra of the CSIRT (Computer Incident Response Team) is what?

Answer 16

Isolation is good. Powering off is bad.

Question 17

Smurf vs Fraggle Attacks

Which uses ICMP and Which uses UDP?

Answer 17

SMURF = ICMP

FRAGGLE = UDP

Question 18

Firewalls:

Stateful = \_\_\_\_\_\_\_
Stateless = \_\_\_\_\_\_\_

Answer 18

Stateful = Dynamic (Looks at packets as they come through and keeps record of them so it can get the bigger picture)

Stateless = Static

Question 19

What do these steps represent in regards to patching?

Evaluate
Test
Approve
Deploy
Verify deployment

Answer 19

Patch Management Process Flow

Question 20

Helps reduce unanticipated outcomes due to unauthorized activity

Answer 20

Change Management

Question 21

Evaluation of proposed changes to identify potential security issues PRIOR to implementation

Answer 21

Security Impact Analysis

Question 22

What does the following process represent?

1. Request for Change (RFC)
2. Review of the change by the Change Advisory Board (CAB)
3. Approval / Rejection of Change
4. Test Approved Change (s)
5. Schedule and Release (Implement | Deploy)
6. Document the change

Answer 22

Change Management Process

Question 23

Match the Term to the correct definition:

Mirror Backup
Full Backup
Incremental Backup
Differential Backup

_______: Captures your entire system and all the data you want to protect. If done frequently, these result in easier recovery operations.

_______: Creates a Mirror copy of the source data. when a source file is deleted it is also deleted from the mirror backup automatically.

_______: Captures only the changes made since the last FULL or incremental backup. Saves both time and storage space. Files with their archive bit set to 1 (enabled) are backed up. Once complete, the archive bit on ALL files is reset and turned off

_______: Captures only the changes made since the last FULL backup, not since the last differential backup. All files with their archive bit enabled are backed up but the archive bit IS NOT reset once files are backed up.

Answer 23

FULL : Captures your entire system and all the data you want to protect. If done frequently, these result in easier recovery operations.

MIRROR : Creates a Mirror copy of the source data. when a source file is deleted it is also deleted from the mirror backup automatically.

Incremental : Captures only the changes made since the last FULL or incremental backup. Saves both time and storage space. Files with their archive bit set to 1 (enabled) are backed up. Once complete, the archive bit on ALL files is reset and turned off

Differential : Captures only the changes made since the last FULL backup, not since the last differential backup. All files with their archive bit enabled are backed up but the archive bit IS NOT reset once files are backed up.

Question 24

Employed for applications that cannot accept any downtime without negatively impacting the organization.

Answer 24

Redundant Center

!!NO TIME SPENT OFFLINE !!!

Advantages:

Little or no downtime
ease of maintenance
No recovery required

Disadvantages

Most expensive
Requires redundant hardware
distance limitations

Question 25

Standby ready with ALL the technology and equipment necessary to run the applications positioned there.

Quickest Recovery
Most Expensive
Operational within hours

Answer 25

Hot Site

No more than 1 business day offline

Question 26

A Facility that is PARTIALLY configured with some data center support infrastructure, such as HVAC, computers, etc.

Answer 26

Warm Site

a few days offline

Question 27

A shell or EMPTY data center space with no technology on the floor.

Answer 27

Cold Site

weeks to months offline

Question 28

Database backups are moved to a remote site using a bulk transfer capability.

Answer 28

Electronic Vaulting

Question 29

Quicker version of electronic vaulting using bulk transfers of data, but more frequently

Answer 29

Remote Journaling

Question 30

The ability of a system to suffer a fault but continue to operate

Answer 30

Fault Tolerance

Question 31

Not powered up but is a duplicate of the primary component that can be inserted into a system if needed

Answer 31

Cold Spare

Question 32

Already inserted in the system but do not receive power unless s they are required. These components need to be configured.

Answer 32

Warm Spare

Question 33

Inserted into the system and powered on. These components are ready to go

Answer 33

Hot Spare

Question 34

Includes two or more servers, allowing a failure of one to be “taken on” by the surviving members of the cluster via a failover process.

Answer 34

Failover Cluster

Question 35

Spike
Surge
Transients
Brownout
Sag

• a quick instance of an increase in voltage
• a quick instance of a decrease in voltage
• an increase in power that is prolonged
• a decrease in power that is prolonged
• noise on the power lines

Answer 35

Spike - a quick instance of an increase in voltage

Sag - a quick instance of a decrease in voltage

Surge - an increase in power that is prolonged

Brownout - a decrease in power that is prolonged

Transients - noise on the power lines

Question 36

What level of RAID is defined below:

Writes files in stripes across multiple disks without the use of parity information. NOT FAULT TOLERANT

Answer 36

RAID 0

Question 37

What level of RAID is defined below:

Duplicates all disk writes from one disk to another to create two identical drives.

Very costly from a drive space perspective since half of the available disk is given to mirroring.

Answer 37

RAID 1

Question 38

What level of RAID is defined below:

Requires three or more drives to implement. Striping or data like in RAID 0, with redundancy in the form of a dedicated parity drive.

Answer 38

RAID 3

Question 39

What level of RAID is defined below:

Also requires three or more drives to implement. The big difference is how parity information is stored.

Rather than using a dedicated parity drive, data and parity information is striped together across all drives.

This level is most popular and can tolerate the loss of any one drive since the parity information on the other drives can be used to reconstruct the lost one.

Answer 39

RAID 5

Question 40

What level of RAID is defined below:

Configured as two or more mirros in a stripe.

Also known as RAID 10

Answer 40

RAID 1+0

Question 41

Bringing operations back to a working state

Answer 41

Recovery

Question 42

Bringing a facility back to a working state

Answer 42

Restoration