Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP ISC2 2023 > Security Operations > Flashcards

Security Operations Flashcards

2
Q 
Which of the following activities is not considered a valid form of penetration testing?
A) Denial-of-service attacks
B) Port scanning
C) Distribution of malicious code
D) Packet sniffing
A

Distribution of malicious code

Distribution of malicious code will almost always result in damage or loss of assets and is not used in a penetration test. However, denial-of-service attacks, port scanning, and packet sniffing may all be included in a penetration test.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Of the following choices, what is the best form of antivirus protection?
A) Multiple solutions on each system
B) A single solution throughout the organization
C) Antivirus protection at several locations
D) One hundred percent content filtering at all border gateways

A

Antivirus protection at several locations

A multipronged approach provides the best solution. This involves having antivirus software at several locations, such as at the boundary between the Internet and the internal network, at email servers, and on each system. More than one antivirus application on a single system isn’t recommended. A single solution for the whole organization is often ineffective because malware can get into the network in more than one way. Content filtering at border gateways (the boundary between the Internet and the internal network) is a good partial solution, but it won’t catch malware brought in through other methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q 
You need to ensure a service provided by a server will continue even if the server fails. What should you use?
A) Clustering
B) A RAID array
C) Hot site
D) UPS
A

Clustering

Failover clustering uses two or more servers and will ensure that a service will continue even if a server fails. A redundant array of independent disks (RAID) allows a disk subsystem to continue to operate even if a disk fails. A hot site is an alternative location maintained in a ready state that can be used if the primary location suffers a serious outage. An uninterruptible power supply (UPS) provides short-term power for a system if the primary power source is lost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q 
What would an administrator use to check systems for known issues that attackers may use to exploit the systems? 
A) Versioning tracker 
B) Vulnerability scanner
 C) Security audit
 D) Security review
A

Vulnerability scanner

Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn’t directly check systems for vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q 
Audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclic redundancy checks (CRCs) are examples of what? 
A) Directive controls 
B) Preventive controls 
C) Detective controls
 D) Corrective controls
A

Detective controls

Examples of detective controls are audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and CRCs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q 
Which operation is performed on media so it can be reused in a less-secure environment?
A) Erasing
B) Clearing
C) Purging
D) Overwriting
A

Purging

Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be used in less-secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q 
Auditing is a required factor to sustain and enforce what?
A) Accountability
B) Confidentiality
C) Accessibility
D) Redundancy
A

Accountability

Auditing is a required factor to sustain and enforce accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q 
Which of the following would be completed during the remediation and review stage of an incident response?
A) Contain the incident
B) Collect evidence
C) Rebuild system
D) Root cause analysis
A

Root cause analysis

An incident is examined during the remediation and review stage. A root cause analysis is generated in an attempt to discover the source of the problem. After the cause is discovered, the review will often identify a solution to help prevent a similar occurrence in the future. Containing the incident and collecting evidence is done early in the incident response process. Rebuilding a system may be needed during the recovery stage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q 
What should be done as soon as an incident has been detected and verified?
A) Contain it
B) Report it
C) Remediate it
D) Gather evidence
A

Contain it

Containment should be the first step when an incident has been detected and verified to limit the effect or scope of an incident. It should be reported based on an organization’s policies and governing laws, but this is not the first step. Remediation attempts to identify the cause of the incident and steps that can be taken to prevent a reoccurrence, but this is the last step, not the first. It is important to protect evidence while trying to contain an incident, but gathering the evidence will occur after containment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is true for a host-based intrusion detection system (HIDS)?
A) It monitors an entire network.
B) It monitors a single system.
C) It’s invisible to attackers and authorized users.
D) It cannot detect malicious code.

A

It monitors a single system.

An HIDS monitors a single system looking for abnormal activity. A network-based IDS (NIDS) watches for abnormal activity on a network. An HIDS is normally visible as a running process on a system and provides alerts to authorized users. An HIDS can detect malicious code similar to how antivirus software can detect malicious code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Of the following choices, what is a primary goal of change management?
A) Personnel safety
B) Allowing rollback of changes
C) Ensuring that changes do not reduce security
D) Auditing privilege access

A

Ensuring that changes do not reduce security

The goal of change management is to ensure that any change does not lead to unintended outages or reduce security. Change management doesn’t affect personnel safety. A change management plan will commonly include a rollback plan, but that isn’t a specific goal of the program. Change management doesn’t perform any type of auditing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q 
Which of the following requires that archives of audit logs be kept for long periods of time?
A) Data remanence
B) Record retention
C) Data diddling
D) Data mining
A

Record retention

Record retention policies define the amount of time to keep any data, including logs. Data remanence is data that remains on media after it has supposedly been removed. Data diddling refers to the modification of data before or during data entry resulting in incorrect or corrupt data. Data mining refers to extracting meaningful knowledge from large amounts of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Of the following choices, what is not a valid security practice related to special privileges?
A) Monitor special privilege assignments.
B) Grant access equally to administrators and operators.
C) Monitor special privilege usage.
D) Grant access to only trusted employees.

A

Grant access equally to administrators and operators.

Special privileges should not be granted equally to administrators and operators. Special privileges are activities that require special access or elevated rights and permissions to perform many administrative and sensitive job tasks. Assignment and usage of these privileges should be monitored, and access should be granted only to trusted employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following steps would not be included in a change management process?
A) Immediately implement the change if it will improve performance.
B) Request the change.
C) Create a rollback plan for the change.
D) Document the change.

A

Immediately implement the change if it will improve performance.

Change management processes may need to be temporarily bypassed to respond to an emergency situation, but they should not be bypassed simply because someone thinks it can improve performance. Even when a change is implemented in response to an emergency, it should still be documented and reviewed after the incident. Requesting changes, creating rollback plans, and documenting changes are all valid steps within a change management process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When using penetration testing to verify the strength of your security policy, which of the following is not recommended?
A) Mimicking attacks previously perpetrated against your system
B) Performing attacks without management knowledge
C) Using manual and automated attack tools
D) Reconfiguring the system to resolve any discovered vulnerabilities

A

Performing attacks without management knowledge

Penetration testing should be performed only with the knowledge and consent of the management staff. Unapproved security testing could result in productivity loss, trigger emergency response teams, and legal action against the tester, including loss of employment. A penetration test can mimic previous attacks and use both manual and automated attack methods. After a penetration test, a system may be reconfigured to resolve discovered vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q 
An organization wants to reduce vulnerabilities against collusion and fraud from malicious employees. Of the following choices, what would not help with this goal?
A) Job rotation
B) Separation of duties
C) Mandatory vacations
D) Baselining
A

Baselining

Baselining is used for configuration management and would not help reduce collusion or fraud. Job rotation, separation of duties, and mandatory vacation policies will all help reduce collusion and fraud.

18
Q 
System architecture, system integrity, covert channel analysis, trusted facility management, and trusted recovery are elements of what security criteria?
A) Quality assurance
B) Operational assurance
C) Life cycle assurance
D) Quantity assurance
A

Operational assurance

Assurance is the degree of confidence you can place in the satisfaction of security needs of a computer, network, solution, and so on. Operational assurance focuses on the basic features and architecture of a system that lend themselves to supporting security.

19
Q 
Of the following choices, what indicates the primary purpose of an intrusion detection system (IDS)?
A) Detect abnormal activity.
B) Diagnose system failures.
C) Rate system performance.
D) Test a system for vulnerabilities.
A

Detect abnormal activity.

An IDS automates the inspection of audit logs and real-time system events to detect abnormal activity indicating unauthorized system access. While IDSs can detect system failures and monitor system performance, they don’t include the ability to diagnose system failures or rate system performance. Vulnerability scanners are used to test systems for vulnerabilities.

20
Q 
What is the most important aspect of marking media?
A) Date labeling
B) Content description
C) Electronic labeling
D) Classification
A

Classification

Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn’t as important as marking the classification. Electronic labels or marks can be used, but when they are used, the most important information is still the classification of the data.

21
Q 
Which of the following attacks sends packets with the victim's IP address as both the source and the destination?
A) Land
B) Spamming
C) Teardrop
D) Ping flood
A

Land

In a land attack, the attacker sends a victim numerous SYN packets that have been spoofed to use the same source and destination IP address as the victim’s IP address. Spamming attacks send unwanted email. A teardrop attack fragments traffic in such a way that data packets can’t be put together. A ping flood attack floods the victim with ping requests.

22
Q

Backup tapes have reached the end of their life cycle and need to be disposed of. What should be done with the tapes?
A) Throw them away. Because they are at the end of their life cycle, data cannot be obtained from them.
B) Purge the tapes of all data before disposing of them.
C) Erase data off the tapes before disposing of them.
D) Store the tapes in a storage facility.

A

Purge the tapes of all data before disposing of them.

The tapes should be purged, ensuring that data cannot be recovered using any known means. Even though tapes may be at the end of their life cycle, they can still hold data and should be purged before throwing them away. Erasing doesn’t remove all usable data from media, but purging does. There is no need to store the tapes if they are at the end of their life cycle.

23
Q

How does a SYN flood attack work?
A) Exploits a packet processing glitch in Windows systems
B) Uses an amplification network to flood a victim with packets
C) Exploits a three-way handshake used by TCP
D) Sends oversized ping packets to a victim

A

Exploits a three-way handshake used by TCP

A SYN flood attack disrupts the TCP three-way handshake process by never sending the third packet. It is not unique to any specific operating system such as Windows. Smurf attacks use amplification networks to flood a victim with packets. A ping-of-death attack uses oversized ping packets.

24
Q 
Which of the following is not considered a denial-of-service attack?
A) Teardrop
B) Smurf
C) Ping of death
D) Spoofing
A

Spoofing

Spoofing is used by attackers to hide their identity in a variety of attacks but is not an attack by itself. Teardrop, smurf, and ping of death are all types of denial-of-service attacks.

25
Q 
Which of the following types of intrusion detection systems (IDSs) is effective only against known attack methods?
A) Behavior-based
B) Host-based
C) Knowledge-based
D) Network-based
A

Knowledge-based

A knowledge-based (or signature-based) IDS is effective only against known attack methods. A behavior-based IDS starts by creating a baseline of activity to identify normal behavior and then measures system performance against the baseline to detect abnormal behavior, allowing it to detect previously unknown attack methods. Both host-based and network-based systems can be knowledge based, behavior based, or a combination of both.

26
Q

Which of the following is a procedure designed to test and perhaps bypass a system’s security controls?
A) Logging usage data
B) War dialing
C) Penetration testing
D) Deploying secured desktop workstations

A

Penetration testing

Penetration testing is the attempt to bypass security controls to test overall system security.

27
Q 
While troubleshooting a network problem, a technician realized it could be resolved by opening some ports on a firewall. After these ports were opened, the system worked, but later an attack was launched through these ports, causing other system outages. What could have prevented this problem?
A) Patch management processes
B) Vulnerability management processes
C) Configuration management processes
D) Change management processes
A

Change management processes

Change management processes would ensure that changes are evaluated before being implemented to prevent unintended outages or needlessly weakening security. Patch management ensures systems are up-to-date, vulnerability management checks systems for known vulnerabilities, and configuration management ensures that systems are deployed similarly, but these other processes wouldn’t prevent an unauthorized change.

28
Q 
What type of attack includes fragmented packets that cannot be reassembled?
A) Zero-day exploit
B) Spamming
C) Distributed denial-of-service
D) Teardrop
A

Teardrop

In a teardrop attack, an attacker fragments traffic in such a way that data packets cannot be put together. A zero-day exploit refers to an attack using vulnerabilities that are unknown to others. Spamming refers to sending massive quantities of unsolicited email. A distributed denial-of-service (DDoS) attack is an attack on a single system from multiple sources.

29
Q 
A financial organization commonly has employees switch duty responsibilities every six months. What security principle are they employing?
A) Job rotation
B) Separation of duties
C) Mandatory vacations
D) Least privilege
A

Job rotation

A job rotation policy has employees rotate jobs or job responsibilities and can help detect incidences of collusion and fraud. A separation of duties policy ensures that a single person doesn’t control all elements of a specific function. Mandatory vacation policies ensure that employees take an extended time away from their job, requiring someone else to cover the responsibilities, which increases the ability to discover fraud. Least privilege ensures that users have only the permissions they need to perform the job and no more.

30
Q

Sanitization can be unreliable because of which of the following?
A) Methods are not available to remove data and ensure that it cannot be retrieved using any known methods.
B) Even fully incinerated media can offer extractable data.
C) The process can be performed improperly.
D) Stored data is physically etched into the media.

A

The process can be performed improperly.

Sanitization can be unreliable because the purging, degaussing, or other processes can be performed improperly. When sanitation is done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data isn’t physically etched into the media.

31
Q 
Of the following choices, which is the most common method of distributing malware?
A) Driving downloads
B) Email
C) Rogueware
D) Unapproved software
A

Email

Of the choices offered, email is the most common distribution method for viruses of the choices given. Driving downloads isn’t a term used in IT security, but drive-by downloads are thought by some professionals to be overtaking email as the most common method of distribution. Rogueware (fake antivirus software) is a common method of tricking users but not the most common method. If users are able to install unapproved software, they may inadvertently install malware, but this isn’t the most common method either.

32
Q 
Which of the following tools is most useful in sorting through large log files to search for intrusion-related events?
A) Text editor
B) Vulnerability scanner
C) Password cracker
D) IDS
A

IDS

An intrusion detection system (IDS) is the best tool to search through large log files looking for intrusion-related events. A text editor requires manually looking at logs. Vulnerability scanners and password crackers are not used to search through log files looking for intrusions.

33
Q 
A user is granted access to data needed to perform specific work tasks, but no more. What is being enforced?
A) Principle of least permission
B) Separation of duties
C) Need to know
D) Role-based access control
A

Need to know

Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not used within IT security. Separation of duties ensures that a single person doesn’t control all the elements of a process. Role-based access control grants access to resources based on a role.

34
Q 
Which of the following is not a part of a patch management process?
A) Evaluate patches.
B) Test patches.
C) Deploy all patches.
D) Audit patches.
A

Deploy all patches.

Only the patches that are needed should be deployed so an organization will not deploy all patches. Instead, an organization evaluates the patches to determine which patches are needed, tests them to ensure that they don’t cause unintended problems, deploys the approved and tested patches, and audits systems to ensure that patches have been applied.

35
Q 
A web server hosted on the Internet was recently attacked, exploiting a vulnerability in the operating system. The operating system vendor assisted in the incident investigation and verified the vulnerability was not previously known. What type of attack was this?
A) Botnet
B) Zero-day exploit
C) Denial-of-service
D) Distributed denial-of-service
A

Zero-day exploit

A zero-day exploit takes advantage of a previously unknown vulnerability. A botnet is a group of computers controlled by a bot herder that can launch attacks, but they can exploit both known vulnerabilities and previously unknown vulnerabilities. Similarly, denial-of-service (DoS) and distributed DoS (DDoS) attacks could use zero-day exploits or use known methods.

36
Q

An organization has strictly implemented the principle of least privilege. Which of the following is not a likely outcome?
A) Users can log onto any computer in the network.
B) Users can log onto only a single system.
C) Users have restricted access to files based on their jobs.
D) Users do not have access to backup tapes.

A

Users can log onto any computer in the network.

The principle of least privilege restricts user privileges to what they need and no more. Users do not have a need to log onto any computer in the network. A policy used to implement the principle of least privilege can restrict users to a single computer, restrict access to files, and restrict access to backups.

37
Q

Why is separation of duties important for security purposes?
A) It ensures that multiple people can do the same job.
B) It prevents an organization from losing important information when they lose important people.
C) It prevents any single security subject (person) from being able to make major security changes without involving other subjects.
D) It helps subjects concentrate their talents where they will be most useful.

A

It prevents any single security subject (person) from being able to make major security changes without involving other subjects.

A separation of duties policy prevents a single person from controlling all elements of a process. When applied to security settings, it can prevent a person from making security changes without assistance. Job rotation helps ensure that multiple people can do the same job and can help prevent the organization from losing information when a single person leaves. Having subjects concentrate their talents is unrelated to separation of duties.

38
Q 
What should be done with equipment that is at the end of its life cycle and is being donated to a charity?
A) Ensure that CDs and DVDs are removed.
B) Remove all software licenses.
C) Sanitize it.
D) Install the original software.
A

Sanitize it.

Systems should be sanitized when they reach the end of their life cycle to ensure that they do not include any sensitive data. Removing CDs and DVDs is part of the sanitation process, but other elements of the system, such as disk drives, should also be checked. Removing software licenses or installing the original software is not necessarily required unless the organization’s sanitization process requires it.

39
Q 
Which of the following is a fake network designed to tempt intruders with unpatched and unprotected security vulnerabilities and false data?
A) IDS
B) Honeynet
C) Padded cell
D) Pseudo flaw
A

Honeynet

Honeypots are individual computers, and honeynets are entire networks created to serve as a trap for intruders. They look like legitimate networks and tempt intruders with unpatched and unprotected security vulnerabilities as well as attractive and tantalizing but false data. An intrusion detection system (IDS) will detect attacks. In some cases an IDS can divert an attacker to a padded cell, which is a simulated environment with fake data intended to keep the attacker’s interest. A pseudo flaw (used by many honeypots and honeynets) is a false vulnerability intentionally implanted in a system to tempt attackers.

CISSP ISC2 2023 (90 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions