Security Operations Flashcards
This domain represents 13 percent of the exam and covers many essential security concepts and routine operations, building on many of the other security domains, including security and risk management, assets, engineering, communication, and network security.
Q. 1 Which of the following is NOT a precaution that needs to be taken before monitoring email?
Coming up with strict procedures that define under what circumstances email may be searched Posting a notice visible to all stating that email is company information subject to search Issuing monitoring tools to all email administrators Making sure that all employees know that email is being monitored
Issuing monitoring tools to all email administrators
Note
Issuing monitoring tools to email administrators is not a precaution. The other answers are all prudent steps that need to be taken before any monitoring is performed.
Q. 2 Entrapment is defined as
Leading someone to commit a crime that he or she wouldn’t otherwise have committed Monitoring with the intent of recording a crime Paying someone to commit a crime Being caught with criminal evidence in one’s possession
Leading someone to commit a crime that he or she wouldn’t otherwise have committed
Note
Entrapment refers to the activities that lure an individual into committing a crime that he or she wouldn’t have otherwise committed.
Q. 3 A DRP checklist test
Is a basic review of disaster recovery procedures Is a test of backup system business resumption procedures Is a test of production system recovery procedures Is a test of business process failover procedures
Is a basic review of disaster recovery procedures
Note
A checklist test is the simplest form of DR test in which procedures are reviewed.
Q. 4 The primary difference between a hot site and a warm site is
A hot site is physically closer to the organization’s data centers than a warm site The warm site’s systems don’t have the organization’s data installed The warm site doesn’t have computer systems in it The warm site is powered down, but the hot site is powered up and ready to go
The warm site’s systems don’t have the organization’s data installed
Note
A warm site is the same as a hot site, except that applications and data aren’t installed on the warm site’s systems.
Q. 5 Which of the following are examples of a natural disaster? Drag and drop the correct answer(s) from top to bottom.
Flood
Terrorism
Pandemic
Tsunami
Flood
Pandemic
Tsunami
Note
Terrorism is a manmade disaster.
Q. 6 Forensics is the term that describes
Due process Tracking hackers from other countries Taking steps to preserve and record evidence Scrubbing a system in order to return it to service
Taking steps to preserve and record evidence
Note
Forensics is the study and activity of discovering, preserving, and recording evidence.
Q. 7 The Disaster Recovery Plan needs to be continuously maintained because
The organization’s software versions are constantly changing The organization’s business processes are constantly changing The available software patches are constantly changing The organization’s data is constantly changing
The organization’s business processes are constantly changing
Note
To be effective, a DRP must include all current critical business processes.
Q. 8 What’s considered the most effective form of magnetic media erasure?
Physical destruction Degaussing Overwriting Relabeling
Physical destruction
Note
Only complete physical destruction will positively guarantee that data cannot be recovered from magnetic storage media.
Q. 9 Least privilege means
An analysis determines which privileges are required to complete a task People who have high privileges delegate some of those privileges to others The people who have the fewest access rights do all the work Users should have the minimum privileges required to perform required tasks
Users should have the minimum privileges required to perform required tasks
Note
Least privilege means that users have access to only the data and functions required to perform their duties.
Q. 10 A data processing facility on truck trailers or in portable buildings is known as
A tornado magnet A migratory backup site A rolling backup site An semi-permanent backup site
A rolling backup site
**Note** A rolling (or mobile) backup site is a portable site located on a truck trailer or other portable facility.
Q. 11 What are the types of DRP tests? Drag and drop the correct answer(s) from top to bottom.
Checklist Full interruption Parallel Simulation Walkthrough
Checklist Full interruption Parallel Simulation Walkthrough
Note
The five types of DRP tests are checklist, walkthrough, simulation, parallel, and full interruption.
Q. 12 How is the organization’s DRP best kept up-to-date?
With random audits to identify changes in business processes By maintaining lists of current software versions, patches, and configurations By maintaining personnel contact lists By regularly testing the DRP
By regularly testing the DRP
Note
Audits are useful for revealing changes that may be needed in the DRP.
Q. 13 The practice of separation of duties
Provides variety by rotating personnel among various tasks Helps to prevent any single individual from compromising an information system Ensures that the most experienced persons get the best tasks Is used in large 24x7 operations
Helps to prevent any single individual from compromising an information system
Note
Separation of duties ensures that no single individual has too many privileges, which can lead to a security incident or fraud.
Q. 14 The process of identifying the reason for an incident is known as
Predictive analytics Quality control Finger pointing Root cause analysis
Root cause analysis
Note
Root cause analysis is used to find the reason that a problem or incident occurred.
Q. 15 A parallel DRP test
Is resource intensive and rarely used Tests the full responsiveness by shutting down production systems Runs in parallel with production processing Is a paper exercise to test theoretical response to a disaster
Runs in parallel with production processing
Note
A parallel test is a full test that DOES NOT shut down production systems.
Q. 16 Enticement is defined as
Being caught with criminal evidence in one’s possession Leading someone to commit a crime that they wouldn’t otherwise have committed Monitoring with the intent of recording a crime Leading someone toward evidence after a crime has already been committed
Leading someone toward evidence after a crime has already been committed
Note
Enticement is used to keep a criminal at the scene of a crime. In the context of computer crime, a honeypot is a great way to keep an intruder around while his or her origin is traced.
Both entrapment and enticement involve persuading or leading someone to commit an unlawful act. Entrapment involves causing someone to commit an unlawful act that that person would not otherwise have committed. Enticement involves causing someone to commit an unlawful act (such as attacking a honeypot that records further evidence of a crime) after that person has already committed a crime (such as hacking into the network where the honeypot is located). Entrapment is illegal; enticement is not illegal. However, evidence collected through enticement may or may not be admissible in court proceedings.
Q. 17 Multiple versions of a DRP in the organization will
Ensure all essential personnel have a copy of the DRP Provide a record of changes to the DRP for auditing purposes Cause confusion during a disaster Demonstrate due diligence in the event of civil litigation
Cause confusion during a disaster
Note
Only one version of the DRP should be available, in order to avoid confusion about the most current business processes, roles, and responsibilities.
Q. 18 Which of the following is NOT a security issue regarding single-user mode?
Authentication is disabled on all network services, such as Telnet and FTP The administrator has full root privileges and can make system changes Security features are disabled in single-user mode The administrator can transmit information off the system without a trace
Authentication is disabled on all network services, such as Telnet and FTP
Note
Authentication being disabled on network services, such as Telnet and FTP, are security concerns on any system, not just only a system operating in single-user mode. Root privileges, disabled security features, and the ability to transmit information without detection are all important security concerns inherent to a system operating in single-user mode.
Q. 19 Why are communications with the media important during a disaster?
Emergency communications with personnel occur through the media The media can report official status instead of relying on rumors It’s required by the Securities and Exchange Commission It’s recommended by the Business Contingency Planning Association
The media can report official status instead of relying on rumors
Note
In the absence of official communication with the media, inaccurate information about the disaster and its impact is likely to be spread.
Q. 20 A witness
Offers an opinion based on the facts of a case and on personal expertise Is someone who was present at the scene of the crime Has direct personal knowledge about the event in question Can testify in criminal proceedings only
Has direct personal knowledge about the event in question
Note
A witness testifies to the facts of a case as he or she understands them.
Q. 21 What’s the purpose of off-site media storage?
An alternate backup media set in the event of a program bug An alternate backup media set in the event of an operator error An alternate backup media set in the event of a catastrophic hardware failure An alternate backup media set in the event that the data center is destroyed
An alternate backup media set in the event that the data center is destroyed
Note
The primary intent for off-site media storage is to have a set of backup media available in case the primary data center is damaged or destroyed in the event of a disaster.
Q. 22 The number one priority during any disaster should always be
Communications Personnel safety Resumption of core business functions Security of physical facilities
Personnel safety
Note
The lives and safety of people always come first.
Q. 23 The purpose of a honeypot is to
Log an intruder’s actions Act as a decoy to lure attackers away from the real target, study attack methods, and collect evidence Deflect Denial of Service attacks away from production servers Provide direct evidence of a break-in
Act as a decoy to lure attackers away from the real target, study attack methods, and collect evidence
Note
A honeypot is designed to keep an intruder sniffing around long enough for investigators to determine his or her origin and/or identity.
Q. 24 What’s the potential security benefit of rotation of duties?
It reduces the risk that personnel will perform unauthorized activities It ensures that all personnel are familiar with all security tasks It’s used to detect covert activities It ensures security because personnel aren’t too familiar with their duties
It reduces the risk that personnel will perform unauthorized activities
Notes
Rotation of duties helps to prevent situations in which individuals are potentially tempted to perform unauthorized activities by limiting familiarity and increasing the risk of discovery by another individual subsequently performing the same duties.
Q. 25 A hot site is the most expensive because
Travel costs can be high Duplicate staff salaries are high HVAC systems are expensive to operate It requires constant maintenance to keep systems synchronized
It requires constant maintenance to keep systems synchronized
Notes
All systems, applications, and data must be kept current with the production site, including upgrades and patches.
Q. 26 The process of reviewing and approving changes in production systems is known as
Availability management Configuration management Change management Resource control
Change management
Notes
Change management is the function that controls changes made to a production environment.
Q. 27 Remote journaling refers to
A mechanism that transmits transactions to an alternate processing site A procedure for maintaining multiple copies of change control records A procedure for maintaining multiple copies of configuration management records A mechanism that ensures the survivability of written records
A mechanism that transmits transactions to an alternate processing site
Note
Remote journaling keeps data up-to-date at an alternate site.
Q. 28 Which of the following tasks would typically be performed by a security administrator? Drag and drop the correct answer(s) from top to bottom.
Change file permissions Virtualizing servers Configuring user privileges Installing system software Reviewing audit data
Configuring user privileges
Reviewing audit data
Change file permissions
Note
Virtualizing servers and installing system software are tasks typically performed by a system administrator, not a security administrator.
Q. 29 What’s the purpose of a salvage team?
To resume critical business operations at the alternate processing site To retrieve any needed items from off-site storage To return the primary processing site to normal business operations To salvage any usable or marketable assets after a disaster
To return the primary processing site to normal business operations
Note
The salvage team is responsible for resuming normal business operations at the primary site(s).
Q. 30 What’s the purpose of a recovery team?
To resume critical business operations at the alternate processing site To retrieve any needed items from off-site storage To return the primary processing site to normal business operations To salvage any usable or marketable assets after a disaster
To resume critical business operations at the alternate processing site
Note
The recovery team is responsible for getting critical business operations up and running as soon as possible at an alternate site.
Q. 31 An expert witness
Offers an opinion based on the facts of a case and on personal expertise Is someone who was present at the scene of the crime Has direct personal knowledge about the event in question Can testify in criminal proceedings only
Offers an opinion based on the facts of a case and on personal expertise
Note
An expert witness offers his or her opinion based on the facts of the case and on personal expertise.
Q. 32 The maximum period of time in which data might be lost if a disaster strikes is known as
RTO RPO MTD MTBF
RPO
Note
Recovery point objective (RPO) is the maximum period of time in which data might be lost if a disaster strikes. RPO refers to the oldest acceptable backup of data for a specific application in an organization. For example, if the RPO is 24 hours, then the maximum period of time in which data might be lost if a disaster strikes is 24 hours. Recovery time objective (RTO) is the maximum acceptable amount of time that it takes to recover data from a backup. MTD refers to month-time-date and has no application in disaster recovery or business continuity as it refers to how long an organization’s systems can be down after a disaster has occurred. For example, MTD for critical systems might be one hour and less critical systems might have an MTD of 4 hours, 24 hours, or one week. MTBF refers to mean time between failures and is used to express the average reliability of a system or component.
Q. 33 When is a disaster considered to be over?
When the governor declares the end of a state of emergency When the recovery phase has begun When all business operations have resumed at alternate operations site(s) When all business operations have resumed at the primary operations site(s)
When all business operations have resumed at the primary operations site(s)
Note
A disaster is considered to be over when all normal business operations have resumed at the primary site(s).
Q. 34 Which of the following is NOT a concern for a hot site?
Programs and data at the hot site must be protected A widespread disaster will strain the hot site’s resources A hot site is expensive because of the controls and patches required Computer equipment must be shipped quickly to the hot site in the event of a disaster
Computer equipment must be shipped quickly to the hot site in the event of a disaster
Note
A hot site already has computer equipment installed and ready.
Q. 35 Backing up data by sending it through a communications line to a remote location is known as what? Drag and drop the correct answer(s) from top to bottom.
Transaction journaling
Off-site storage
Electronic journaling
Electronic vaulting
Electronic vaulting
Note
Electronic vaulting describes backing up data to another location over a communications network.
Q. 36 The purpose of a Service Level Agreement is
To guarantee a minimum performance level for an application or function To guarantee the maximum performance level for an application or function To identify gaps in availability of an application To correct issues identified in a security audit
To guarantee a minimum performance level for an application or function
Note
An SLA defines minimum performance metrics required in an application or service.
Q. 37 What’s the purpose of a Criticality Assessment?
It identifies the funding required during a disaster It identifies the critical personnel in the organization It identifies the critical path to full disaster recovery It identifies the processes and resources that are most important for business operations
It identifies the processes and resources that are most important for business operations
Note
A criticality assessment is used to identify the most critical business processes and functions in an organization.
Q. 38 The process of maintaining and documenting software versions and settings is known as
Availability management Configuration management Change management Resource control
Configuration management
Note
Configuration management is the function that is used to document software versions and settings.
Q. 39 The purpose of root cause analysis is to
Determine all possible reasons for an incident Determine the primary reason for an incident Determine the source of a malware attack Determine which forensic evidence is significant
Determine the primary reason for an incident
Note
Root cause analysis determines the main reason that an incident occurred.
Q. 40 Standards for the reuse of magnetic media specify what minimum for magnetic media reuse?
Degauss the media three times Degauss the media seven times Overwrite or format the media seven times Overwrite or format the media 21 times
Overwrite or format the media seven times
Note
Magnetic media must be overwritten or formatted at least seven times to ensure complete erasure to prevent recovery of data that was previously written to it.
Q. 41 Configuration management is used to
Document the approval process for configuration changes Control the approval process for configuration changes Ensure that changes made to an information system don’t compromise its security Preserve a complete history of the changes to software or data in a system
Preserve a complete history of the changes to software or data in a system
Note
Configuration management is used to preserve all prior settings or versions of software or hardware.
