Security Operations

Question 1

Security professionals often discuss two general conceptual classes of intrusion security mechanisms:

Answer 1

intrusion detection systems (IDSs) and intrusion prevention systems (IPSs).

Question 2

intrusion prevention system (IPS) is a solution that

Answer 2

monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorised access.

Question 3

IDS/IPS solutions can be deployed as

Answer 3

Perimeter placement
Host-based
Network-based

Question 4

IDS/IPS can detect malicious activity in a number of ways

Answer 4

Deviation
Signature
Pattern matching
Heuristic

Question 5

SIEM

Answer 5

Security Information and Event Management (system)

Question 6

ISCM

Answer 6

Information Security Continuous Monitoring

Question 7

DLP

Answer 7

Data loss protection

Question 8

DLP tools function by

Answer 8

comparing data leaving the control of the organization against a rule set to determine whether that action is allowed

Question 9

The DLP rule set can be defined by the following

Answer 9

Signature, Pattern Matching, Labelling

Question 10

UEBA

Answer 10

User and Entity Behaviour Analytics

Question 11

Perhaps the most striking example of the limitations of monitoring tools was shown in the ____________ compromise, also known as the ____________ hack

Answer 11

Perhaps the most striking example of the limitations of monitoring tools was shown in the SolarWinds compromise, also known as the SUNBURST hack

Question 12

Data loss prevention (DLP) tools can serve many functions including the following except:
A. Compliance
B. Security
C. Asset management
D. Intrusion detection

Answer 12

The correct answer is D.

Intrusion detection is not one of the functions. DLP tools can serve many functions, but it depends on how they are deployed and what settings the organization applies.

Question 13

ITIL

Answer 13

Information Technology Infrastructure Library

Question 14

One of the more widely adopted information technology change practices is defined in the Information Technology Infrastructure Library (ITIL) version 4, under the name of …

Answer 14

Change Enablement.

Question 15

The ITIL process distinguishes changes among three levels based on their urgency

Answer 15

Standard changes, which are relatively low-risk and follow established procedures,
Emergency changes are those which must be implemented immediately, and
Normal changes, which do not fall into either of the other two levels.

Question 16

Once the organization has identified its Configuration Items, the minimum set of security controls associated with that item are identified. This is the …

Answer 16

baseline (or, less ambiguously, the security baseline) for that particular CI.

Question 17

During the initiation phase, Requests for Change (RFC) typically address all of the following except:
A. Identification of change requirements
B. Risk assessment
C. Documentation of the RFC
D. Evaluating the RFC for completeness

Answer 17

The correct answer is D.

Evaluating the RFC for completeness is part of the change review and approval process.

Question 18

What is the difference between an incident and an event

Answer 18

Events occur when a change in a systems state occurs. The event becomes an incident when there’s a possibility of harm.

Question 19

NIST Special Publication 800-61, Computer Security Incident Handling Guide, structures incident response activities in a four-phase lifecycle:

Answer 19

Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity

Question 20

ISO/IEC 27035 phases of incident management consist of

Answer 20

Planning and preparation
Detection and reporting
Assessment and decision
Response
Lessons learned

Question 21

NIST SP 800-61 phases of incident management consist of:

Answer 21

Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity

Question 22

Under the Gramm-Leach-Bliley Act (GLBA), how long do organizations have to report cyber related compromises of a customer’s personally identifiable information (PII)?

Answer 22

36 hours

Question 23

What ISO/IEC standard defines security incident management in five phases?

Answer 23

27035

Question 24

List four standards that identify incident response as an essential control.

Answer 24

PCI DSS (Payment Card Industry Data Security Standard)
COBIT (Control Objectives for Information and Related Technologies)
SOC 2 (Trust Services Criteria) and the EU Network Information Security Directive 2016/1148

Question 25

What are the four primary steps necessary for a cyber-forensic investigation?

Answer 25

Collection
Examination
Analysis
Reporting

Question 26

What are the processes of SOAR?
A. Security orchestration, security automation, security response
B. Security, orchestration, automation, response
C. Security, orchestration, automation, recovery
D. Security, orchestration, authorization, response

Answer 26

A Security orchestration, security automation, security response

Question 27

What are honeypots

Answer 27

machines that exist on the network but do not contain sensitive or valuable data

Question 28

Typically, honeypots are placed in the network …

Answer 28

demilitarized zone (DMZ)

Question 29

What type of security is threatening the defence in depth model

Answer 29

Software defined security (SDS)

Question 30

What is the difference between a differential backup and an incremental backup

Answer 30

A differential backup backs up all files since the last full backup. An incremental backs up all files since the last incremental backup

Question 31

Hot site activation is typically measured in

Answer 31

minutes to hours

Question 32

Warm site activation tends to be measured in

Answer 32

in hours to days

Question 33

Cold backup site activation times are measured in

Answer 33

weeks if not months.

Question 34

RAID 0

Answer 34

Not actually a redundancy configuration, as the array has no parity bits. RAID 0 stripes data across two devices, optimizing the performance over a single device.

Question 35

RAID 1:

Answer 35

RAID 1: Another method that does not typically use parity bits (and RAID 1 does not even use striping); instead, the data is fully duplicated across two identical drives so that any part of the data set can be recovered if a single drive fails. This can be costly but also serves as a backup for the production data.

Question 36

RAID 2: 

Answer 36

A legacy technique not currently in wide use.

Question 37

RAID 3 and 4: 

Answer 37

Data is striped across multiple drives, and a distinct drive is used to store parity information. RAID 3 stripes data at the byte level; RAID 4 at the block level.

Question 38

These RAID configurations may not be optimum for organisations seeking high availability environments, as the parity drive in each represents a potential single point of failure.

Answer 38

Raid 3 and 4

Question 39

RAID 5

Answer 39

Both the data and the parity bits are striped across multiple disks; provides high availability.

Question 40

RAID 6:

Answer 40

 Uses data striping and two sets of parity bits striped across multiple disks; two drives can fail and the data can still be recovered.

Question 41

What is CPTED

Answer 41

By directing the flow of people, using passive techniques to signal who should and should not be in a space and providing visibility to otherwise hidden spaces, the likelihood decreases that someone will commit a crime in that area

Question 42

Status of the Uptime Institute 4 Tier model

Answer 42

Not in statute but widely adopted

Question 43

SCIF

Answer 43

sensitive compartmented information facilities

Question 44

Which type of water-based fire suppression system combines elements of wet and dry pipe actions?
A. Wet pipe
B. Dry pipe
C. Deluge
D. Pre-action

Answer 44

Pre-action
Fire sensors initiate pre-action charging of the water pipes that can then activate independently as in a wet pipe system. In other instances, the system may require both an independent fire sensor and one or more sprinklers to activate prior to water entering the system.

Question 45

True or False: Halon is an older type of water-type fire protection system and is mostly no longer in use.
True
False

Answer 45

Halon is an older type of gas-type fire protection system and is mostly no longer in use.

Question 46

BCDR

Answer 46

Business continuity and Disaster Recovery

Question 47

In the case of a disaster who is responsible for protecting the environment

Answer 47

Everyone

Question 48

In the case of disaster who Identifies evidence and potential sources of evidence:

Answer 48

The forensics team and the first responder

Question 49

What are the advantages of UEBA

Answer 49

UEBA provides information at the user level, and not just security information provided by more conventional solutions, such as firewalls. UEBA can provide information about deviations in normal user behavior based upon statistical analysis coupled with machine learning.
This is promising, because it means UEBA can assist in the detection of
insider threats,
compromised accounts,
brute-force attacks,
changes in permissions and creation of super-users
breaches of protected data.

Question 50

What tool or device collects security information from multiple, disparate sources for better security examination?
Question options:

A) SIM (Security Information Management)
B) SEM (Security Event Management)
C) SIEM (Security Information and Event Management)
D) They all can

Answer 50

The correct answer is D. Many network devices can collect log data
but these logs may well be in different formats and in different
locations. SIMs provide historical data whereas SEMs provide realtime data. Although there is no formal industry standard for SIEM, these devices combine the functionality of the SIMs and SEMs.

Question 51

Referred to as “Change Enablement,” the Information Technology Infrastructure Library (ITIL) version 4, is one of the more widely adopted practices used in change management. ITIL defines three levels based on urgency, but which of the following is not one of them?
Question options:

A) Standard
B) Emergency
C) Zero-Day
D) Normal

Answer 51

The change management process
encompasses all elements of change and is not restricted to software
alone. ITIL defines these levels as the following: Standard changes which are relatively low-risk and follow established procedures; emergency changes, which are those which must be implemented immediately; and normal changes, which do not fall into either of the other two levels. Zero-day vulnerabilities, typically software-related, might be an example of an emergency level but it is not one of ITIL’s classifications.

Question 52

Which of the following statements is true about digital evidence?
Question options:

A) Evidence is useless if the original version has been changed in any way.
B) Evidence can expire.
C) Electronic evidence is inadmissible.
D) Evidence should be believable.

Answer 52

The correct answer is D. Evidence is material used to support a
theory and argument concerning the events of an alleged crime.
It must be presented in a format that is understandable to the
intended audience (perhaps a jury) who must believe in the veracity
of said evidence. While crimes might have a lifespan (a statute of
limitations), evidence typically does not. Evidence that has been
changed may be admissible, if the changes have been documented
to a court’s satisfaction. Electronic evidence is admissible.

Question 53

Alternate Site

Answer 53

A general term for a contingency or continuity of operations (COOP) site used to assume system or organizational operations in the event that the primary site is not usable for a period of time

Question 54

Types of baselines

Answer 54

*Enumerated baselines, which are inventory lists generated by systems cataloging, discovery, and enumeration tools.
*Configuration baselines, which have a revision or version identifier associated with each CI.
*Build or deployment baselines, which are configuration baselines for instances of a system being built for a specific purpose (such as security assessment) or environment (such as production or delivery to end users).
*Modification, update, or patch baselines, which are subsets of a total system baseline. These would contain only those CIs which have been modified.
*Security baselines associate the minimum acceptable set of security controls for each CI within a configuration baseline.

Question 55

Creating a total inventory of a system, component by component, part by part.

Answer 55

Baselining

Question 56

The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

Answer 56

Cyber Forensics

Question 57

Service provided to on-premises data centers to recover to/from the cloud.

Answer 57

Disaster Recovery as a Service (DRaaS)

Question 58

Monitoring the flow of information out of an organization’s control boundaries.

Answer 58

Egress monitoring

Question 59

Any form of user, such as a hardware device, software daemon, task, processing thread or human, which is attempting to use or access systems resources.

Answer 59

Entity

Question 60

In incident response, the activities which remove the cause of the incident from the environment. This often requires the use of a formal root cause analysis process.

Answer 60

Eradication

Question 61

Any observable occurrence in a network or system

Answer 61

Event

Question 62

Incorrectly classifying a benign activity, system state or configuration as malicious or vulnerable.

Answer 62

False Positive

Question 63

Actions taken by a victim of hacking to compromise the systems of the alleged attacker .

Answer 63

Hackback

Question 64

A method of machine learning, which identifies patterns of acceptable activity so that deviations from the patterns will be identified.

Answer 64

Heuristics

Question 65

A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption.

Answer 65

Hot Site

Question 66

The mitigation of violations of security policies and recommended practices

Answer 66

Incident response

Question 67

A technical artifact or observable occurrence that suggests an attack is imminent or is currently underway, or that a compromise may have already occurred.

Answer 67

Indicator

Question 68

A signal that an intrusion, malware, or other predefined hostile or hazardous set of events is occurring or has occurred

Answer 68

Indicators of Compromise (IOC)

Question 69

Any entity or collaboration created or employed by public- or private-sector organizations, for purposes of gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems, to ensure their availability, integrity, and reliability.

Answer 69

Information Sharing and Analysis Center (ISAC)

Question 70

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so

Answer 70

Intrusion

Question 71

Use available information to determine if an attack is underway, send alerts, but also block the attack from reaching its intended target.

Answer 71

Intrusion Prevention Systems (IPS)

Question 72

Signals from events that suggest a possible change of conditions (internal or external to the organization) may alter the current threat landscape. An increase in tensions in the local political or social environment, or complaints or grievances by employees or customers going viral in social media, are examples

Answer 72

Precursor(s)