Operations Security Flashcards
Define clipping level
define a baseline for normal user activity or an acceptable level of errors
For what 4 purposes can audit trails be used in operations security
to monitor problems
provide individual accountability with records of who took which activities and when
to detect possible system intrusions
to reconstruct events to support investigations
What type of control provides replacement mechanisms for if primary controls are lost?
Compensating control
What type of control is designed to stop users from violating security?
preventative control
What type of control can restore a system to its normal operating state after a fault or incident occurs
Recovery control
What type of control details procedures and guidelines for protecting security?
directive control
4 items involved with maintaining operations security
maintaining operational resilience
protecting valuable assets
controlling system accounts
managing security services
7 types of controls
directive preventative deterrent compensating detective corrective recovery
define directive controls
state rules of acceptable behavior
define preventative controls
designed to prevent any actions that violate a company’s security policy
define deterrent controls
discourage individuals from violating security directives
define compensating controls
serve to provide replacement for the loss of primary controls
define detective controls
identify and warn of incidents of security control breaches
define corrective controls
used to remedy circumstances, mitigate damage, and restore controls
define recovery controls
restore a system to its normal operating state after a security incident.
4 categories of controls
hardware
software
operations
media
6 steps in change management
submit change request approve the change document the change test the change implement the change report the change
4 uses for audit trails
monitor problems
detect intrusions
ensure individual accountability
reconstruct events
What port does SMTP use?
25
What port does POP3 use?
110
define email relaying
involves transferring email messages from 1 mail server to another. Can be used to hide identity.
define smtp relaying
sending email messages from one server to another using smtp. Can be used to hide identity.
What ports does FTP use?
20
21
Define Evasive Sweep
attempt to bypass firewall and IDS without leaving a trace.
2 types of stealth scans
SYN scan
FIN scan
4 types of admin controls to improve security
separation of duties
rotation of duties
least privileges
mandatory vacations
In the event of a security incident, one of the primary objectives of the operations staff is to ensure that
A. the attackers are detected and stopped
B. there is minimal disruption to the organization’s mission
C. appropriate documentation about the event is maintained as chain of evidence
D. the affected systems are immediately shut off to limit the impact
B. there is minimal disruption to the organization’s mission
Assuming a working IDS is in place, which of the following groups is best capable of stealing sensitive information due to the absence of system auditing? A. malicious software B. hacker or cracker C. disgruntled employee D. auditors
C. disgruntled employee
Which of the following provides controlled and un-intercepted interfaces into privileged user functions? A. ring protection B. anti-malware C. maintenance hooks D. trusted paths
D. trusted paths
The doors of a data center spring open in the event of a fire. This is an example of A. fail-safe B. fail secure C. fail proof D. fail closed
A. fail-safe
Which of the following ensures constant redundancy and fault tolerance? A. cold spare B. warm spare C. hot spare D. archives
C. hot spare
If speed is preferred over resilience, which of the following RAID configurations is the best choice? A. raid 0 B. raid 1 C. raid 5 D. raid 10
A. raid 0
Updating records in multiple locations or copying an entire database to a remote location as a means to ensure the appropriate levels of fault tolerance and redundancy is know as A. data mirroring B. shadowing C. backup D. archiving
B. shadowing
When the backup window is not long enough to backup all of the data and the restoration of backup must be as fast as possible, which of the following types of high availability backup strategies is best?
A. full
B. incremental
C. differential
D. increase the backup window so a full backup can be performed.
C. differential
At a restricted facility, visitors are requested to provide identification and verified against a pre-approved list by the guard at the front gate before being let in. This is an example of checking for: A. least privilege B. separation of duties C. fail safe D. psychological acceptability
A. least privilege
The major benefit of information classification is to
A. map out the computing ecosystem
B. identify the threats and vulnerabilities
C. determine the software baseline
D. identify the appropriate level of protection needs
D. identify the appropriate level of protection needs
When sensitive information is no longer critical but still within scope of a record retention policy, that information is best A. destroyed B. re-categorized C. degaussed D. released
B. re-categorized
The main benefit of placing users into groups and roles is A. ease of user administration B. increased security C. ease of programmatic access D. increased automation
A. ease of user administration
Which of the following best determines the suitability of an individual? A. job rank or title B. partnership with the security team C. role D. background investigation
D. background investigation
Reports must be specific on both the message and which of the following? A. intended audience B. delivery options C. colors used D. print layout
A. intended audience
Which of the following can help with ensuring that only the needed logs are collected for monitoring? A. clipping level B. aggregation C. xml parsing D. inference
A. clipping level
The main difference between a security event information management system and a log management system is that SEIM systems are useful for log collection, collation, and analysis A. in real time B. for historical purposes C. for admissibility in court D. in discerning patterns
A. in real time
When normal traffic is flagged as an attack, it is an example of A. fail safe B. fail secure C. false negative D. false positive
D. false positive
The best way to ensure that there is no data remanence of sensitive information that was once stored on a DVD-R media is by A. deletion B. degaussing C. destruction D. overwriting
C. destruction
Which of the following processes is concerned with not only identifying the root cause but also addressing the underlying issue? A. incident management B. problem management C. change management D. configuration management
B. problem management
Before applying a software update to production systems, it is most important that
A. full disclosure information about the threat that the patch addresses is available
B. the patching process is documented
C. the production systems are backed up
D. an independent third party attests to the validity of the patch
C. the production systems are backed up
Which of the following is not a common component of configuration management change control steps? A. Tested and presented B. Service level agreement approval C. Report change to management D. Approval of the change
B. Service level agreement approval
A change management process should include a number of procedures. Which of the following incorrectly describes a characteristic or component of a change control policy?
A. Changes that are unanimously approved by the change control committee must be tested to uncover any unforseen results.
B. Changes approved by the change control committee should be entered into a change log
C. A schedule that outlines the projected phases of the change should be developed
D. An individual or group should be responsible for approving proposed changes.
A. Changes that are unanimously approved by the change control committee must be tested to uncover any unforseen results.
The requirement of erasure is the end of the media life cycle if it contains sensitive information. Which of the following best describes purging?
A. Changing the polarization of the atoms on the media.
B. It is acceptable when media are to be reused in the same physical environment for the same purpose.
C. Data formerly on the media is made unrecoverable by overwriting it with a pattern.
D. Information is made unrecoverable, even with extraordinary effort.
D. Information is made unrecoverable, even with extraordinary effort.
Device backup and other availability solutions are chosen to balance the value of having information available against the cost of keeping that information available. Which of the following best describes fault-tolerant technologies?
A. They are among the most expensive solutions and are usually only for the most mission critical information.
B. They help service providers identify appropriate availability services for the specific customer.
C. They are required to maintain integrity, regardless of the other technologies in place.
D. They allow a failed component to be replaced while the system continues to run.
A. They are among the most expensive solutions and are usually only for the most mission critical information.
Which of the following refers to the amount of time it will be expected to take to get a device fixed and back into production? A. SLA B. MTTR C. Hot Swap D. MTBF
B. MTTR
Mean Time to Repair
Which of the following correctly describes Direct Access and Sequential Access storage devices?
A. Any point on a direct access storage device may be promptly reached, whereas every point in between the current position and the desired position of a sequential access storage device must be traversed in order to reach the desired position.
B. RAIT is an example of a direct access storage device while raid is an example of sequential access storage
C. MAID is a direct access storage while raid is an example of a sequential access storage device
D. As an example of sequential access storage, tape drives are faster than direct access storage
A. Any point on a direct access storage device may be promptly reached, whereas every point in between the current position and the desired position of a sequential access storage device must be traversed in order to reach the desired position.
There are classifications for operating system failures. Which of the following refers to what takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state, requiring an administrator to intervene. A. Emergency system restart B. Trusted recovery C. system cold start D. system reboot
C. system cold start
Various levels of RAID dictate the type of activity that will take place within the RAID system. Which level is associated with byte-level parity? A. RAID level 0 B. RAID level 3 C. RAID level 5 D. RAID level 10
B. RAID level 3
Which of the following incorrectly describes IP spoofing and session hijacking?
A. Address spoofing helps an attacker to hijack sessions between two users without being noticed.
B. IP spoofing makes it harder to track
C. Session hijacking can be prevented with mutual authentication.
D. IP spoofing is used to hijack SSL and IPSec secure communications.
D. IP spoofing is used to hijack SSL and IPSec secure communications.
RAID systems use a number of techniques to provide redundancy and performance. Which of the following activities divides and writes data over several drives? A. Parity B. Mirroring C. Striping D. Hot swapping.
C. Striping
What is the difference between hierarchical storage management and storage area network technologies?
A. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.
B. HSM and SAN are one and the same. The difference is implementation.
C. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage
D. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage.
C. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage
What type of exploited vulnerability allows more input than the program has allocated space to store it? A. symbolic links B. file descriptors C. kernel flaws D. Buffer overflow
D. Buffer overflow
There are often scenarios where the IT staff must react to emergencies and quickly apply fixes or change configurations. When dealing with such emergencies, which of the following is the best approach to making changes?
A. Review the changes within 48hrs
B. Review and document the emergency changes after the incident is over
C. Activity should not take place in this manner
D. Formally submit the change to a change control committee an follow the complete change control process.
C. Activity should not take place in this manner
Organizations should keep system documentation on hand to ensure that the system is properly cared for, that changes are controlled, and that the organization knows what's on the system. What does not need to be in this type of documentation? A. Funcationality B. changes C. Volume of transactions D. identity of system owner
C. Volume of transactions
Fred is a new security officer who wants to implement a control for detecting and preventing users who attempt to exceed their authority by misusing the access rights that have been assigned to them. Which of the following best fits this need?
A. Management review
B. two factor identification and authentication
C. capturing this data in audit logs
D. Implementation of a strong security policy
A. Management review
Which of the following is the best way to reduce brute force attacks that allow intruders to uncover users’ passwords?
A. Increase the clipping
B. Lock out an account for a certain amount of time after the clipping level is reached.
C. After a threshold of failed login attempts is met, the administrator must physically lock out the account.
D. Choose a weaker algorithm that encrypts the password file.
B. Lock out an account for a certain amount of time after the clipping level is reached.
Brandy couldn't figure out how Sam gained unauthorized access to her system, since he has little computer experience. Which of the following is the most likely attack Sam used? A. Dictionary attack B. shoulder surfing attack C. Covert channel attack D. Timing attack
B. shoulder surfing attack
The relay agent on a mail server plays a role in spam prevention. Which of the following incorrectly describes mail relays?
A. Antispam features on mail servers are actually antirelaying features
B. Relays should be configured wide open to receive any email message
C. Relay agents are used to send message from one mail server to another
D. If a relay is configured wide open, the mail server can be used to send spam.
B. Relays should be configured wide open to receive any email message
