Security Operations Flashcards
Security professionals often discuss two general conceptual classes of intrusion security mechanisms:
intrusion detection systems (IDSs) and intrusion prevention systems (IPSs).
intrusion prevention system (IPS) is a solution that
monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorised access.
IDS/IPS solutions can be deployed as
Perimeter placement
Host-based
Network-based
IDS/IPS can detect malicious activity in a number of ways
Deviation
Signature
Pattern matching
Heuristic
SIEM
Security Information and Event Management (system)
ISCM
Information Security Continuous Monitoring
DLP
Data loss protection
DLP tools function by
comparing data leaving the control of the organization against a rule set to determine whether that action is allowed
The DLP rule set can be defined by the following
Signature, Pattern Matching, Labelling
UEBA
User and Entity Behaviour Analytics
Perhaps the most striking example of the limitations of monitoring tools was shown in the ____________ compromise, also known as the ____________ hack
Perhaps the most striking example of the limitations of monitoring tools was shown in the SolarWinds compromise, also known as the SUNBURST hack
Data loss prevention (DLP) tools can serve many functions including the following except:
A. Compliance
B. Security
C. Asset management
D. Intrusion detection
The correct answer is D.
Intrusion detection is not one of the functions. DLP tools can serve many functions, but it depends on how they are deployed and what settings the organization applies.
ITIL
Information Technology Infrastructure Library
One of the more widely adopted information technology change practices is defined in the Information Technology Infrastructure Library (ITIL) version 4, under the name of …
Change Enablement.
The ITIL process distinguishes changes among three levels based on their urgency
Standard changes, which are relatively low-risk and follow established procedures,
Emergency changes are those which must be implemented immediately, and
Normal changes, which do not fall into either of the other two levels.
Once the organization has identified its Configuration Items, the minimum set of security controls associated with that item are identified. This is the …
baseline (or, less ambiguously, the security baseline) for that particular CI.
During the initiation phase, Requests for Change (RFC) typically address all of the following except:
A. Identification of change requirements
B. Risk assessment
C. Documentation of the RFC
D. Evaluating the RFC for completeness
The correct answer is D.
Evaluating the RFC for completeness is part of the change review and approval process.
What is the difference between an incident and an event
Events occur when a change in a systems state occurs. The event becomes an incident when there’s a possibility of harm.
NIST Special Publication 800-61, Computer Security Incident Handling Guide, structures incident response activities in a four-phase lifecycle:
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
ISO/IEC 27035 phases of incident management consist of
Planning and preparation
Detection and reporting
Assessment and decision
Response
Lessons learned
NIST SP 800-61 phases of incident management consist of:
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
Under the Gramm-Leach-Bliley Act (GLBA), how long do organizations have to report cyber related compromises of a customer’s personally identifiable information (PII)?
36 hours
What ISO/IEC standard defines security incident management in five phases?
27035
List four standards that identify incident response as an essential control.
PCI DSS (Payment Card Industry Data Security Standard)
COBIT (Control Objectives for Information and Related Technologies)
SOC 2 (Trust Services Criteria) and the EU Network Information Security Directive 2016/1148
What are the four primary steps necessary for a cyber-forensic investigation?
Collection
Examination
Analysis
Reporting
What are the processes of SOAR?
A. Security orchestration, security automation, security response
B. Security, orchestration, automation, response
C. Security, orchestration, automation, recovery
D. Security, orchestration, authorization, response
A Security orchestration, security automation, security response
What are honeypots
machines that exist on the network but do not contain sensitive or valuable data
Typically, honeypots are placed in the network …
demilitarized zone (DMZ)
What type of security is threatening the defence in depth model
Software defined security (SDS)
What is the difference between a differential backup and an incremental backup
A differential backup backs up all files since the last full backup. An incremental backs up all files since the last incremental backup
Hot site activation is typically measured in
minutes to hours
Warm site activation tends to be measured in
in hours to days
Cold backup site activation times are measured in
weeks if not months.
RAID 0
Not actually a redundancy configuration, as the array has no parity bits. RAID 0 stripes data across two devices, optimizing the performance over a single device.
RAID 1:
RAID 1: Another method that does not typically use parity bits (and RAID 1 does not even use striping); instead, the data is fully duplicated across two identical drives so that any part of the data set can be recovered if a single drive fails. This can be costly but also serves as a backup for the production data.
RAID 2:
A legacy technique not currently in wide use.
RAID 3 and 4:
Data is striped across multiple drives, and a distinct drive is used to store parity information. RAID 3 stripes data at the byte level; RAID 4 at the block level.
These RAID configurations may not be optimum for organisations seeking high availability environments, as the parity drive in each represents a potential single point of failure.
Raid 3 and 4
RAID 5
Both the data and the parity bits are striped across multiple disks; provides high availability.
RAID 6:
Uses data striping and two sets of parity bits striped across multiple disks; two drives can fail and the data can still be recovered.
What is CPTED
By directing the flow of people, using passive techniques to signal who should and should not be in a space and providing visibility to otherwise hidden spaces, the likelihood decreases that someone will commit a crime in that area
Status of the Uptime Institute 4 Tier model
Not in statute but widely adopted
SCIF
sensitive compartmented information facilities
Which type of water-based fire suppression system combines elements of wet and dry pipe actions?
A. Wet pipe
B. Dry pipe
C. Deluge
D. Pre-action
Pre-action
Fire sensors initiate pre-action charging of the water pipes that can then activate independently as in a wet pipe system. In other instances, the system may require both an independent fire sensor and one or more sprinklers to activate prior to water entering the system.
True or False: Halon is an older type of water-type fire protection system and is mostly no longer in use.
True
False
Halon is an older type of gas-type fire protection system and is mostly no longer in use.
BCDR
Business continuity and Disaster Recovery
In the case of a disaster who is responsible for protecting the environment
Everyone
In the case of disaster who Identifies evidence and potential sources of evidence:
The forensics team and the first responder
What are the advantages of UEBA
UEBA provides information at the user level, and not just security information provided by more conventional solutions, such as firewalls. UEBA can provide information about deviations in normal user behavior based upon statistical analysis coupled with machine learning.
This is promising, because it means UEBA can assist in the detection of
insider threats,
compromised accounts,
brute-force attacks,
changes in permissions and creation of super-users
breaches of protected data.
What tool or device collects security information from multiple, disparate sources for better security examination?
Question options:
A) SIM (Security Information Management)
B) SEM (Security Event Management)
C) SIEM (Security Information and Event Management)
D) They all can
The correct answer is D. Many network devices can collect log data
but these logs may well be in different formats and in different
locations. SIMs provide historical data whereas SEMs provide realtime data. Although there is no formal industry standard for SIEM, these devices combine the functionality of the SIMs and SEMs.
Referred to as “Change Enablement,” the Information Technology Infrastructure Library (ITIL) version 4, is one of the more widely adopted practices used in change management. ITIL defines three levels based on urgency, but which of the following is not one of them?
Question options:
A) Standard
B) Emergency
C) Zero-Day
D) Normal
The change management process
encompasses all elements of change and is not restricted to software
alone. ITIL defines these levels as the following: Standard changes which are relatively low-risk and follow established procedures; emergency changes, which are those which must be implemented immediately; and normal changes, which do not fall into either of the other two levels. Zero-day vulnerabilities, typically software-related, might be an example of an emergency level but it is not one of ITIL’s classifications.
Which of the following statements is true about digital evidence?
Question options:
A) Evidence is useless if the original version has been changed in any way.
B) Evidence can expire.
C) Electronic evidence is inadmissible.
D) Evidence should be believable.
The correct answer is D. Evidence is material used to support a
theory and argument concerning the events of an alleged crime.
It must be presented in a format that is understandable to the
intended audience (perhaps a jury) who must believe in the veracity
of said evidence. While crimes might have a lifespan (a statute of
limitations), evidence typically does not. Evidence that has been
changed may be admissible, if the changes have been documented
to a court’s satisfaction. Electronic evidence is admissible.
Alternate Site
A general term for a contingency or continuity of operations (COOP) site used to assume system or organizational operations in the event that the primary site is not usable for a period of time
Types of baselines
*Enumerated baselines, which are inventory lists generated by systems cataloging, discovery, and enumeration tools.
*Configuration baselines, which have a revision or version identifier associated with each CI.
*Build or deployment baselines, which are configuration baselines for instances of a system being built for a specific purpose (such as security assessment) or environment (such as production or delivery to end users).
*Modification, update, or patch baselines, which are subsets of a total system baseline. These would contain only those CIs which have been modified.
*Security baselines associate the minimum acceptable set of security controls for each CI within a configuration baseline.
Creating a total inventory of a system, component by component, part by part.
Baselining
The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
Cyber Forensics
Service provided to on-premises data centers to recover to/from the cloud.
Disaster Recovery as a Service (DRaaS)
Monitoring the flow of information out of an organization’s control boundaries.
Egress monitoring
Any form of user, such as a hardware device, software daemon, task, processing thread or human, which is attempting to use or access systems resources.
Entity
In incident response, the activities which remove the cause of the incident from the environment. This often requires the use of a formal root cause analysis process.
Eradication
Any observable occurrence in a network or system
Event
Incorrectly classifying a benign activity, system state or configuration as malicious or vulnerable.
False Positive
Actions taken by a victim of hacking to compromise the systems of the alleged attacker .
Hackback
A method of machine learning, which identifies patterns of acceptable activity so that deviations from the patterns will be identified.
Heuristics
A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption.
Hot Site
The mitigation of violations of security policies and recommended practices
Incident response
A technical artifact or observable occurrence that suggests an attack is imminent or is currently underway, or that a compromise may have already occurred.
Indicator
A signal that an intrusion, malware, or other predefined hostile or hazardous set of events is occurring or has occurred
Indicators of Compromise (IOC)
Any entity or collaboration created or employed by public- or private-sector organizations, for purposes of gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems, to ensure their availability, integrity, and reliability.
Information Sharing and Analysis Center (ISAC)
A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so
Intrusion
Use available information to determine if an attack is underway, send alerts, but also block the attack from reaching its intended target.
Intrusion Prevention Systems (IPS)
Signals from events that suggest a possible change of conditions (internal or external to the organization) may alter the current threat landscape. An increase in tensions in the local political or social environment, or complaints or grievances by employees or customers going viral in social media, are examples
Precursor(s)
