Security Operations

Question 1

The concept that no single individual has complete authority or control of a critical system is known by which term?

Answer 1

Separation of duties

Question 2

What 3 advantages does separation of duties provide?

Answer 2

• Reduces opportunities for fraud or abuse
• Reduces mistakes
• Reduces dependence on individuals

Question 3

The concept involving regularly transferring key personnel into different positions or departments within an organisation is otherwise known as what?

Answer 3

Job rotation

Question 4

What are 3 advantages of job rotation?

Answer 4

• Reduces opportunities for fraud or abuse
• Eliminate single points of failure
• Promote professional growth

Question 5

What are 4 advantages of mandatory vacations?

Answer 5

• provides opportunity to uncover fraud or abuse
• Reduce individual stress, thus reducing the potential for mistakes or coercion by others
• Discover inefficient process with another individual performs role in their absence.
• Reveal single points of failure and opportunities for job rotation and separation of duties/responsibilities

Question 6

What is the concept of “Need-to-know”?

Answer 6

• states that only people with a valid to need to know certain information in order to perform their job functions, should have access to that information.
• user must have relevant security clearance

Question 7

What is the principle of “Least Privilege”?

Answer 7

persons should have the capability to perform only the tasks that are required to perform their primary jobs and nothing more.

Question 8

What is the difference between the concepts of “Need-to-know” and “Least Privilege”?

Answer 8

“Need to know” is concerned with access control whereas “Least privilege” is concerned with functionality.

Question 9

How can the “accumulation or privileges” occur?

Answer 9

When an employee moves to another role within the same organisation, but previous access rights are not revoked.

Question 10

What is the main benefit of server virtualisation?

Answer 10

Reduces single point of failure as a virtual server can be replicated or moved from one physical server to another.

Question 11

What things should be considered for systems regarding single points of failure?

Answer 11

• Redundant Power Supplies
• Multiple Power Supplies
• Cooling Fans
• RAID (Hot swappable)
• Can the system be clustered or virtualised?
• Can data be replicated to another system in real time?

Question 12

What things should be considered for networks regarding single points of failure?

Answer 12

• Do routers/ firewalls failover automatically and do they fail-back?
• Do routers have multiple paths available to network destinations?
• Do you have multiple service providers and do they share the same point of presence (POP)?
• What happens if the connection to your telecommunications provider’s central office is cut?
• Do your multiple telecoms providers networks go through the same telecoms hotel?

Question 13

What is a telecoms hotel?

Answer 13

The facility that houses equipment belonging to many different telecoms providers

Question 14

What things should be considered for processes regarding single points of failure?

Answer 14

• Do your personnel security policies and practices create single points of failure? ie you might have separation of duties, but not rotation of duties.
• Do you have contingency processes in place in case a primary system, process or person is unavailable?

Question 15

4 key elements of handling sensitive information:

Answer 15

• Marking
• Handling
• Storage and Backup
• Destruction

Question 16

When a system failure occurs, in which type of environment may access be lost?

Answer 16

Fail-soft or fail-closed

Question 17

When a system failure occurs, in which type of environment will access be open to all?

Answer 17

Fail-open

Question 18

When a system crash occurs, what term is used to describe the system when access has been restored?

Answer 18

Fail-back

Question 19

What term is used to describe strategic and tactical errors that an organisation can face whether by performing an action or failure to perform an action?

Answer 19

Errors & Omissions (E&O)

Question 20

What is Errors & Omissions liability otherwise known as in legal terms?

Answer 20

Professional Liability

Question 21

What term is used to describe software that typically damages or disables, takes control of, or steals information from a computer system?

Answer 21

Malware

Question 22

Name 9 common types of malware:

Answer 22

• Adware
• Backdoors
• Bootkits
• Logic Bombs
• Rootkits
• Spyware
• Trojan Horses
• Viruses
• Worms

Question 23

Which type of malware uses pop-up advertising programs?

Answer 23

Adware

Question 24

Which type of malware uses malicious code that allows an attacker to bypass normal authentication to allow an attacker to gain access to a compromised system?

Answer 24

Backdoor

Question 25

Which type of malware is a kernel mode variant of a rootkit, commonly used to attack computers that are attacked by full disk encryption?

Answer 25

Bootkits

Question 26

Which type of malware used malicious code that is activated when a specific condition is met, such as a particular date or event?

Answer 26

Logic Bomb

Question 27

Which type of malware used malicious code to provide privileged (root level) access to a machine?

Answer 27

Root-kit

Question 28

Which type of malware uses malicious software that collects information without a users knowledge and/or interferes with the operation of a computer by redirecting them to a web browser or installing additional malware?

Answer 28

Spy-ware

Question 29

Which type of malware uses malicious software that masquerades as a legitimate program?

Answer 29

Trojan Horse

Question 30

Which type of malware uses malicious code that requires a user to perform a specific action to become active such as clicking an executable, attachment or link to become active?

Answer 30

Virus

Question 31

Which type of malware uses malicious code that is spread rapidly across a network without any user interaction required to activate it. This type of malware typically exploits known vulnerabilities and flaws that have not been patched.

Answer 31

Worms

Question 32

What term would be used to describe an individual machine that has been infected with malware and is under the control of the attacker?

Answer 32

Bot

Question 33

What is a Bot-herder?

Answer 33

An attacker that uses malware to take control of the infected system.

Question 34

What is a botnet?

Answer 34

• A network of infected machines (bots)
• They typically have many command and control servers distributed all over the internet which gives the botnet a resilient distributed infrastructure.

Question 35

What is an Advanced Persistant Threat (APT)?

Answer 35

targeted intrusions used by groups that use sophisticated botnets to attack a specific target such as an enterprise or government network.

Question 36

What are the 5 main system security controls?

Answer 36

• Preventative
• Detective
• Corrective
• Automatic
• Manual

Question 37

What are the 6 main operational controls?

Answer 37

• Resource Protection
• Privileged Entity Controls
• Change Controls
• Media Controls
• Administrative Controls
• Trusted recovery

Question 38

What operational control is used to protect information assets and information infrastructure?

Answer 38

Resource Protection

Question 39

Resource Protection can be categorised into 6 areas. What are they?

Answer 39

Comms hardware and software
Computers and their storage systems
Business Data
System Data
Backup Media
Software

Question 40

Which Operational Control describes the mechanisms, generally built into the computer OS, which give privileged access to hardware, software and data?

Answer 40

Privileged entity controls

Question 41

What are the two prevalent forms of change control?

Answer 41

Change Management and Configuration Management

Question 42

Approval based process that ensures only approved changes are implemented is known as what?

Answer 42

Change Management

Question 43

the controls hat records soft-configuration and software changes with approval via the change management process is known as what?

Answer 43

Configuration Management

Question 44

information classifications and physical media control are controlled by which operational control?

Answer 44

Media Control

Question 45

Least privilege, Separation of duties and rotation of duties are categorised under which operational control?

Answer 45

Administrative Controls

Question 46

Documented processes and procedures for system recovery fall under which operational control?

Answer 46

Trusted recovery

Question 47

What are four common reasons for having system audit trails in place?

Answer 47

• Accountability
• Investigation
• Event reconstruction
• Problem identification

Question 48

List 9 common types of penetration testing:

Answer 48

Port scanning
Vulnerability scanning
Packet sniffing
War dialling
War driving
Radiation Monitoring
Dumpster diving
Eaves dropping
Social engineering

Question 49

What is port scanning?

Answer 49

The scanning of a target machine across a network for open un-used ports, that should either be de-activated or patched.

Question 50

Name 3 examples of port scanning tool?

Answer 50

Nmap
Nessus
SATAN

Question 51

What is vulnerability scanning?

Answer 51

A means of identifying exploitable vulnerabilities in a system

Question 52

What is packet sniffing?

Answer 52

A tool that captures all TCP/IP packets transmitted on a network or device

Question 53

How does packet sniffing differ on a switched media LAN?

Answer 53

Sniffers on switched-media LANs generally only pick up packets intended for the device running the sniffer

Question 54

What mode is used were a network adapter accepts all packets, not just packets destined for the system, and sends them to the operating system?

Answer 54

Promiscuous Mode

Question 55

What is war dialling?

Answer 55

War dialling is used to sequentially dial all phone number in a range to discover any active modems

Question 56

What is war driving?

Answer 56

War driving is the 21st century version of war dialling. Someone uses a laptop with a wireless LAN card and drives around densely populated areas looked for unprotected or poorly protected wireless LAN’s

Question 57

What is radiation monitoring?

Answer 57

The practice of determining what data is being displayed on monitors, transmitted on LAN’s or processed on computers using radio frequency/electromagnetic emanations.

Question 58

What is dumpster diving?

Answer 58

Exactly what it says

Question 59

What is eavesdropping?

Answer 59

Exactly what it says

Question 60

What is shoulder surfing?

Answer 60

Watching them work with discreet over the should glances

Question 61

What is social engineering?

Answer 61

active way of physically getting information form workers. low tech can involve a hacker masquerading as someone else

Question 62

What are the two common types of intrusion detection systems?

Answer 62

Network based IDS

Host based IDS

Question 63

What two methods are used by IDS?

Answer 63

• Signature based

- Anomaly based

Question 64

What is signature based IDS?

Answer 64

• compares network traffic that is observed with a list of patterns in a signature file. Downside is that it only detects known attacks and has to be periodically updated

Question 65

What is anomaly based IDS?

Answer 65

• monitors all traffic on a network and build traffic profiles. over time the IDS will report deviations from the reports that it has built. Downside is that you may have higher false positives

Question 66

What is the difference between behaviour/heuristic based IDS and anomaly based IDS?

Answer 66

Rather than detecting anomalies to normal traffic patterns, behaviour-based and heuristics-based systems attempt to recognise and learn potential attack patterns.

Question 67

What is the difference between IPS and IDS?

Answer 67

IPS detects and blocks intrusions, whereas IDS simply detects them

Question 68

What term is used to describe the science of examining activity and audit logs to discover inappropriate activity?

Answer 68

Violation Analysis

Question 69

What does violation analysis use as thresholds for differentiating violations from non-events?

Answer 69

Clipping levels

Question 70

Describe an example of where clipping levels are used?

Answer 70

the number of login attempts failed on a system per hour. if the limit (clipping level) is exceeded within that hour, then a violation has occurred.

Question 71

What is keystroke monitoring?

Answer 71

the recording of all input activities on a terminal or workstation.

Question 72

What is traffic and trend analysis?

Answer 72

monitoring of the activities of an individual or organisation, based on the type and volume of traffic on a network.

Question 73

Name 4 types of physical monitoring?

Answer 73

• watching logs of buildings with card-key access control
• monitoring unmanned entrances, ie CCTV
• Staffing key locations with security guards
• installing and monitoring security alarm sensors

Question 74

What is the process of detecting, responding and fixing a problem known as?

Answer 74

incident management or problem management

Question 75

What is a system operator?

Answer 75

normally found in data center environments. managing infrastructure.

Question 76

What is the extent of the security admins role in relation to background checks?

Answer 76

checking that they have been completed prior to assigning accounts.

Question 77

What is Account Validation?

Answer 77

Period reviewed of inactive accounts

Question 78

In the US, US Civilian Government Agencies are required to report breaches of personal identifiable information to whom with a n hour of occurring?

Answer 78

US-CERT (US Computer Emergency readiness Team)

Question 79

What is Root Cause Analysis? (RCA)

Answer 79

asking why until there is only one answer

Question 80

What is the difference between incident management and problem management?

Answer 80

Incident is concerned with managing an adverse event, whereas problem management is concerned with tracking the event back to its root cause. Incident limits the affect whereas problem addresses defects

Question 81

What can be obtained from the following?

Answer 81

cve. mitre.org (Common Vulnerability Exposure Database)
nvd. nist.gov (Online database of known vulnerabilities managed by NIST
www. cert.gov (online resource for a wide variety of information on known vulnerabilities

Question 82

What is the last step of the patch management process?

Answer 82

Documentation

Question 83

What are two characteristics of a SAN?

Answer 83

• dedicated block level storage on a dedicated network.

- utilise protocols like iSCSI to appear to operating systems as locally attach devices

Question 84

What is a NAS?

Answer 84

designed to simply store and serve files, ie FTP server, file server

Question 85

What term is used to describe multiple disks used for a single partition?

Answer 85

Concatenation (a concatenated disk will appear tot the OS as a single drive

Question 86

RAID levels:

Answer 86

• RAID 0:no redundancy
• RAID 1:mirroring. ocstly due to needing double the disk space.
• RAID 2:theoretical and not used in practice.
• RAID 3:requires 3 or more drives. data is striped at byte level. has a dedicated parity drive to reconstruct data
• RAID 4: requires 3 or more drives. data is striped at block level. has a dedicated parity drive to reconstruct data
• RAID 5: requires 3 or more drives. parity information accross all drives.
• RAID 6: extends capabilities of RAID 5. dual parity. accommodates failure of two drives however performance is poor and not widely used.
• RAID 0+1: uses two different sets of disks. one for striping and for mirroring data to different set of disks.
• RAIS1+0: Each drive is mirrored to amatching set. wen data is striped to one it is immediately striped to the other. (better for speed and redundancy)

Question 87

Which type of RAID is most commonly used?

Answer 87

RAID 5

Question 88

What is RAIT?

Answer 88

Redundant Array of Independent Tapes. used for tape media