Security Operations Flashcards
What outlines the scope, objectives, limitations, and boundaries of a penetration test?
Rules of Engagement (RoE)
What is active reconnaissance?
- When a pen-tester actively probes and scans the target environment to gather information
- Ex. Port/service scans, vulnerability scans
What is passive reconnaissance?
- Involves gathering information without directly interacting with the target systems
- Ex. Monitoring traffic or analyzing publicly available information
What is required for an organization to properly manage its restore process in the event of system failure?
DRP (Disaster Recovery Plan)
What is the purpose of a RPO?
Covers the amount of data that is expected to be recovered given a failure
If you wanted to inspect data about an executable than ran on a employee’s laptop, what logs would you use?
Endpoint/host logs
What is the purpose of a DRP?
A plan for the whole recovery process necessary to restore the system
What is it called when an analyst proactively searches for signs of compromise or suspicious actives within the network?
Threat hunting
What encryption technique would you use to protect data on an employees’ laptop?
Full disk encryption
What should a security administrator adhere to when setting up a new set of firewall rules?
Change management procedure
What is it called when companies pay non-employees to find vulnerabilities?
Bug bounty
What document would a company provide to a client to outline the project, cost, and the completion time frame?
SOW (Statement of Work)
What should be done first when a high-priority patch to a production system needs to be applied?
Create a change control request
Why should root cause analysis be conducted as part of incident response?
To prevent future incidents of the same nature
What is the most likely outcome if a large bank fails an internal PCI DSS compliance assessment?
Audit findings
What is it when a company determines the staffing levels needed to sustain business operations during a disruption?
- Capacity planning
- This ensures that the organization has sufficient human resources to maintain essential functions and minimize downtime
What is it called when a company required hard drives to be securely wiped before sending decommissioned systems to recycling?
Sanitization
What data classification should be used to secure and protect patient data?
Sensitive
What team can a company hire to perform an offensive security assessment covering penetration testing and social engineering?
Red
What team would perform a defensive security assessment?
Blue
What can be used to identify potential attacker activities without affecting production servers?
Honeypot
What is the process called when an incident response team engages in the process of understanding the source of an incident?
Analysis
What should be done after a security network completes a vulnerability assessment of the network and remedies the vulnerabilities?
Rescan the network
What does automation involve?
Using tools and scripts to regularly check and report on the security settings of servers
What script should you write to streamline account creation?
User provisioning script
What type of control is described by a company setting up a SIEM system and assigning an analyst to review the logs on a weekly basis?
Detective
What is tuning?
Setting a monitoring system to have higher, or lower threat detection standards
What is the primary security concern of setting up a BYOD program?
Jailbreaking
What is ARO?
- Annualized Rate of Occurrence
- This estimated the frequency with which a specific risk or event is expected to occur in a year
- Helps assess the likelihood of risks
What is RTO?
- Recovery Time Objective
- The maximum acceptable amount of time that a system or application can be down after a failure/disaster
What would a company use to decide if they should reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks?
ARO
In what phase of the incident response process does a security analyst review roles and responsibilities?
Preparation
What should a security administrator set up so they can secure data by tracking changes in an environment?
FIM (File Integrity Monitoring)
What is FIM?
- File Integrity Monitoring
- A security technology that monitors and detects changes in files
- Can track modifications, access, or deletions of files and notify administrators of any changes
When implementing FDE on all laptops in an organization, what are two important considerations to make?
- Key escrow
- TPM presence
What is the purpose of key escrow?
To ensure encryption keys can be recovered in case they are lost or forgotten
What is TPM presence?
- A hardware-based security feature that can store encryption keys securely
- Enhances the security of FDE by protecting the keys from being accessed or tampered with
What incident response activity ensures evidence is properly handled?
Chain of custody
What does orchestration refer to?
The automated configuration, management, and coordination of systems, apps and services
In the context of data roles, the customer whose sensitive data is being collected, modified, and stored is referred to as what?
Subject
What is used to quantitatively measure the criticality of a vulnerability?
- CVSS
- Common Vulnerability Scoring System
An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system, what best describes this action?
Compensating controls
What is the most common data loss path for an air-gapped network?
Removable devices
An administrator reviewed log files after a ransomware attack, what control type is this?
Detective
A security analyst locates a potentially malicious video file on a server and needs to identify both the creation date and the file’s creator. How should they get the information required?
Query the file’s metadata
What team combines both offensive and defensive testing techniques to protect an organization’s critical systems?
Purple
What is the primary security implication of using end-of-life operating systems?
Lack of patch availability
What would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed?
A full inventory of all hardware and software
What strategy must be employed to ensure data loss is prevented on stolen laptops?
Encryption at rest
What should an administrator do to prevent users from being able to access data based on their responsibilities in a simple format?
RBAC
What access management concepts will a company most likely use to safeguard intranet accounts and grant access to multiple sites based on a user’s intranet account?
- Federation
- Password complexity
What is a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system?
SIEM
What is the best way to handle a critical business application that is running on a legacy server?
Segmentation
What risk management strategy should an enterprise adopt first if a legacy application is critical to business operations and there are preventative controls that are not yet implemented?
Mitigation
What is the best way to secure an on-site data center against intrusion from an insider?
Access badge
The local administrator account for a company’s VPN appliance was unexpectedly used to log in to the remote management interface. What would most likely prevent this from happening?
Changing the default password
What is ALE (Annual Loss Expectancy)
Represents the expected monetary loss for an asset due to a risk over a year
What would be most useful in determining whether the long-term cost to transfer a risk is less than the impact of the risk?
ALE
What logs would you analyze to identify the impacted host in a command-and-control server incident?
DHCP and Firewall
What is a backout plan?
- A backout plan is a predefined strategy to reverse and recover from changes made to a system if the changes produce undesirable results
- It’s a safety measure that ensures data integrity and system availability.
