Domain 7 security operations COPY

Question 1

If we look at our Disaster Recovery Plan (DRP) for what to do when we are attacked, in which phase of incident management do we shut system access down?
A: Detection
B: Preparation
C: Response
D: Recovery

Answer 1

Explanation
D: Response
The response phase is when the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. This can be taking a system off the network, isolating traffic, powering off the system, or however our plan dictates to isolate the system to minimize both the scope and severity of the incident. Knowing how to respond, when to follow the policies and procedures to the letter and when not to, is why we have senior staff handle the responses. We make bit level copies of the systems, as close as possible to the time of incidence to ensure they are a true representation of the incident.

Question 2

Which of the following is not true about continuous monitoring?
A. It involves ad hoc processes that provide agility in responding to novel attacks.
B. Its main goal is to support organizational risk management.
C. It helps determine whether security controls remain effective.
D. It relies on carefully chosen metrics and measurements.

Answer 2

the answer is A:

Continuous monitoring is a deliberate, data-driven process supporting organizational risk management. One of the key questions it answers is: are controls still effective at mitigating risks? Continuous monitoring could potentially lead to a decision to implement specific ad hoc processes, but these would not really be part of continuous monitoring.

Question 3

which two numbers are required for DRBC

1. sla, roi
2. sle, aro
3. rto, rpo
4. itil, ale

Answer 3

rto and rpo (recovery time object and recovery point objective)

Question 4

how many DRPs are part of BC

Answer 4

there could be many (no limit) DR plans under the business continuity plan

Question 5

what is the goal of recovery

Answer 5

resumption of critical business functions

Question 6

When we are doing our digital forensics, in which order would we perform the steps?
A: identify, acquire, analyze, report
B: identify, analyze, acquire, report
C: analyze, identify, acquire, report
D: report, identify, analyze, report

Answer 6

A: identify, acquire, analyze, report
Explanation
The digital (computer) forensics process: Identify the potential evidence, acquire the evidence, analyze the evidence, make a report. We need to be more aware of how we gather our forensic evidence, attackers are covering their tracks, deleting the evidence and logs.

Question 7

As part of our Disaster Recovery Plan (DRP), we are building our secondary data center 100 miles (160 km.) from our primary data center.

With which of these secondary sites would we MOST LIKELY be back up and running on our critical applications within 3 hours?

(Select all that apply).
A: warm site
B: cold site
C: hot site
D: redundant site

Answer 7

C and D
Explanation
Redundant site: Complete identical site to our production site, receives a real time copy of our data. If our main site is down the redundant site will automatically have all traffic fail over to the redundant site. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. We may have to manually fail traffic over, but a full switch can take an hour or less. Warm sites would take 4-24+ hours, cold sites can take weeks.

Question 8

What would we have our staff sign to acknowledge they understand and agree with their assigned responsibilities during a disaster?
A: MOU
B: MTT
C: MRA
D: MIT

Answer 8

A: MOU
Explanation
MOU/MOA (Memorandum of Understanding/Agreement): Our staff signs a legal document acknowledging they are responsible for a certain activity. If the test asks “A critical staff member didn’t show, and they were supposed to be there. What could have fixed that problem?” it would be the MOU/MOA. While slightly different they are used interchangeably on the test.

Question 9

what does SOAR stand for

Answer 9

security orchestration, automation and response

Question 10

Which of these is NOT protected by the 4th amendment in the US?
A: your internet history
B: anything search warranted
C: your emails
D: anything done online

Answer 10

B: anything search warranted
Explanation
We ensure our evidence is acquired in legal manner remember the US Constitution 4th amendment. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated. Anything supinated, search warranted, turned over voluntary and in exigent circumstances (immediate danger of being destroyed), can allow law enforcement to bypass the 4th amendment.

Question 11

what is BC focused on

1. IT
2. accounting
3. operations
4. continuity of the organization’s business operations

Answer 11

continuity of the organization’s business operations

Question 12

As part of our Disaster Recovery Plan (DRP), we are building our secondary data center 100 miles (160 km.) from our primary data center.

With which of these secondary sites would we MOST LIKELY be back up and running on our critical applications within 3 hours?

(Select all that apply).
A: cold site
B: warm site
C: redundant site
D: hot site

Answer 12

Explanation – C and D
Redundant site: Complete identical site to our production site, receives a real time copy of our data. If our main site is down the redundant site will automatically have all traffic fail over to the redundant site. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. We may have to manually fail traffic over, but a full switch can take an hour or less. Warm sites would take 4-24+ hours, cold sites can take weeks.

Question 13

As part of our disaster recovery response, we are paying a provider to keep a copy of our servers and data. The servers are to remain down always, with the exception of patches and database syncs, and are only to be spun up if we have a disaster. What would this be called?
A: redundant
B: mobile site
C: reciprocal
D: subscription site

Answer 13

D: subscription site
Explanation
Subscription/cloud site: We pay someone else to have a minimal or full replica of our production environment up and running within a certain number of hours (SLA). They have fully built systems with our applications and receive backups of our data, if we are completely down we contact them and they spin the systems up and apply the latest backups. How fast and how much is determined by our plans and how much we want to pay for this type of insurance.

Question 14

what is recovery point object (RPO)

Answer 14

the amount of data loss tolerable when an incident or disaster occurs. usually expressed in number of transactions or data points. (how often are backups being done.

Question 15

Jane is doing network forensics on an attack. Which of these is a COMMON form used?
A: catch-as-you-can
B: stop, act, prevent
C: catch-and-release
D: stop and release

Answer 15

A: catch-as-you-can
Explanation
Network forensics: Systems used to collect network data for forensics use usually come in two forms: Catch-it-as-you-can: All packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage. Stop, look and listen: Each packet is analyzed in a basic way in memory and only certain information is saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.

Question 16

Our main facility has been hit with a complete power outage and we need to set up a temporary command and control center. What would we be deploying?
A: eoc
B: drp
C: coop
D: eoo

Answer 16

Explanation — A
EOC (Emergency Operations Center): A central temporary command and control facility responsible for our emergency management, or disaster management functions at a strategic level during an emergency. It ensuring the continuity of operation of our organization. We place the EOC in a secure location if the disaster is impacting a larger area.

Question 17

In designing our backup strategy, you are asked if there any types of backups you can’t use together. Which of these would be the right answer?
A: full and incremental
B: Incremental and copy
C: differential and incremental
D: differential and copy

Answer 17

c: differential and incremental

Question 18

is DR (disaster recovery) a subset of BC (business continuity)

Answer 18

yes

Question 19

what is MTD (maximum tolerable downtime) or MAD (maximum allowable downtime)

Answer 19

the amount of time an organization can survive without an asset or process. after this time an organization may no longer be viable

Question 20

In which of the sub-plans of our Business Continuity Plan (BCP) would we look at for dealing with evacuating staff in an emergency?
A: OEP
B: CIRP
C: CCP
D: COOP

Answer 20

A: OEP
Explanation
OEP (Occupant Emergency Plan): How do we protect our facilities, our staff and the environment in a disaster event. This could be fires, hurricanes, floods, criminal attacks, terrorism, etc. Focuses on safety and evacuation, details how we evacuate, how often we do the drills and the training staff should get.

Question 21

We are using server clustering on critical applications. What is the MAIN purpose of server clustering?
A: Fault tolerance
B: Load balancing
C: traffic distribution
D: making configurations easier

Answer 21

A: Fault tolerance
Explanation
Clustering is designed for fault tolerance, often combined with load balancing, but not innately. Clustering can be active/active, this is load balancing, with 2 servers both servers would actively process traffic. Active/passive: There is a designated primary active server and a secondary passive server, they are connected and the passive sends a keep-alive or heartbeat every 1-3 seconds, “are you alive, are you alive…”

Question 22

should RPO be higher or lower than MTD

Answer 22

RPO should always be lower than MTD, otherwise there would be no sense of every trying because the company would cease to function

Question 23

what does a SOAR do

Answer 23

it takes the same ideas of a SIEM -collecting and aggregation of events from devices, categorizes, and analyzes incidents before issuing alerts. SOAR helps to automate responses to alerts

Question 24

In our incident management, what are the 3 LAST phases in order?
A: reporting, remediation, lessons learned
B: remediation, recovery, lessons learned
C: recovery, remediation, lessons learned
D: reporting, recovery, lessons learned

Answer 24

C: recovery, remediation, lessons learned
Explanation
The last 3 are recovery, remediation, lessons learned. The current exam lists a 7-step lifecycle, but does not include the first step in most incident handling methodologies preparation. Preparation > Detection (Identification) > Response (Containment) > Mitigation (Eradication) > Reporting > Recovery > Remediation > Lessons Learned (Post-incident Activity, Post Mortem, or Reporting).

Question 25

what is recovery time objective(RTO)

Answer 25

the maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs.

Question 26

what are the items that IR (incident response) plans typically contain

Answer 26

1. definition of incident types (the different type of incident plans
2. the incident response team (personnel)
3. roles and responsibilities for the IR team in each different type of incident
4. resources required - items like (security management tools, detection and response like SIEM and IDS). checklist and procedure documentation
5. Incident management process must be laid out according to the lifecycle phases.

Question 27

When Jane is designing the specifications in our Disaster Recovery Plan (DRP), she is including technology and countermeasures for Internet Service Provider (ISP) outages. Which type of disasters is she focused on?
A: Environmental
B: Natural
C: All of these
D: man made

Answer 27

A: Environmental
Explanation
Environmental: This is not nature, but the environments we work in, the power grid, the internet connections, hardware failures, software flaws, …

Question 28

what is the goal of restoration

Answer 28

return to normal service levels at the primary site

Question 29

what is an event

Answer 29

any observable change that does not require action to be taken.
examples: routine user or system actions, such as user successfully logging into a system. a file being accessed.

Question 30

what is an incident

Answer 30

events that are both unplanned and have an adverse impact on the organization. they typically require investigation and remediation.

Question 31

what department is DR focused on restoring

1. accounting
2. business continuity
3. IT
4. the business

Answer 31

IT

Question 32

who can declare a disaster

Answer 32

senior most security personnel (senior management)

Question 33

Our main facility has been hit with a complete power outage and we need to set up a temporary command and control center. What would we be deploying?
A: EOO
B: EOC
C: DRP
D: COOP

Answer 33

B: EOC
Explanation
EOC (Emergency Operations Center): A central temporary command and control facility responsible for our emergency management, or disaster management functions at a strategic level during an emergency. It ensuring the continuity of operation of our organization. We place the EOC in a secure location if the disaster is impacting a larger area.

Question 34

DR (disaster recovery) is a subset of what other plan?

Answer 34

BC (business continuity)

Question 35

why is declaring a disaster so that the DR plan kicks in left to senior management

Answer 35

there is significant financial cost and the DR suspends normal processes and operations so its not a decision to be taken lightly by an untrained staff member.

Question 36

7 steps to incident management

Answer 36

1. detection
2. response
3. mitigation
4. reporting
5. recovery
6. remediation
7. lessons learned

Question 37

Which sub-plan would we look at in our Business Continuity Plan (BCP) for dealing with continuing our day to day operations?
A: ccp
B: coop
C: oep
D: cirp

Answer 37

Explanation B:
COOP (Continuity of Operations Plan): How we keep operating in a disaster, how do we get staff to alternate sites, what are all the operational things we need to ensure we function even if at reduced capacity for up to 30 days

Question 38

incremental backup - explain

Answer 38

• backups changes from the last incremental backup
• the archive bit is reset
• each incremental backup is considerably smaller
• if a restore is needing to be done, all incremental backs to, and including the last full backup would need to be restored

Question 39

differential backups - explain

Answer 39

• this backups all the day changed since the last FULL backup
• each differential backup is much larger
• if a recovery was needed, you would only need the most recent differential and the last full backup
• less backups needed during full but much more backup storage needed

Question 40

recovery site

warm site

Answer 40

• warm site mostly has everything that a hot site has minus any type of backup
• backups need to be transported to a warm site, then recover can start
• recovery time on warm site, at least 12 hours