Security Operations

Question 1

Planning

Answer 1

security should be consider prior to development

Question 2

Provisioning

Answer 2

prep for deployment and instantiating user, system, or service
Security baseline and configuration management key principles

Question 3

Baseline configuration

Answer 3

need well-vetted hardened baseline configuration

Question 4

Building baseline configuration

Answer 4

don’t start from scratch
Determine reasonable starting point
establish consistent configuration across the majority of the systems
Reduce time to recover a deployed system

Question 5

Infrastructure as a Service (IAAS)
Platform as a Service (PAAS)
Software as a Service (SAAS)

Answer 5

Root access
Web Service
Gmail

Question 6

Cloud Server (Provisioning)

Answer 6

Vuln - weakness present in preconfigured image

Question 7

Types of Firewall

Answer 7

Packet Filter
Stateful
Proxy
Next Generation Firewalls (NGFW)

Question 8

Packet filtering firewall

Answer 8

examines each packet independently
No idea where packet came from
fast, not secure.
ACL on some devices

Question 9

Firewall: Stateful

Answer 9

Slower

Lookup table

Question 10

Proxy Firewall

Answer 10

2 TCP connection for each request, client & server

In between, inspect, process packets at all seven layers

Question 11

Firewall: Circuit Level

Answer 11

Operates at session layer
does not use application level proxy software
SOCKS - replaces network connection with socks call

Question 12

Firewall: Application Level

Answer 12

Proxy server software/Layer 7

Act as in between, moves packet from one network to another

Question 13

Firewall: Next Generation Firewall (NGFW)

Answer 13

packet inspection beyond ports/protocols

Question 14

Bastion Host

Answer 14

Host that is outside the firewall

Question 15

Firewall: Host-Based

Answer 15

e.g Windows Firewall/McAfee, etc…

Question 16

Intrusion Prevention Systems (IPS)

Answer 16

False positive on IPS cause outages
IDS - passive
IPS - active - think pen test so that why it will stop can cause outage

Question 17

Malware Detonating Devices (MDD)

Sandboxin

Answer 17

Isolate and try to see what would happen

Basically isolated denotation

Question 18

Sandboxing Capabilities

Answer 18

Malware checks to see if it is connected to internet before it detonates

Question 19

IDS

Answer 19

Sniff traffics/sniffer with rules
Passive - sent alert (Does not stop attack)
Active - stop attack (sending resets)

Question 20

IDS
True Positive
True Negative
False Positive
False Negative

Answer 20

True Positive - real attack
True Negative - normal traffic
False Positive - sets off alert and normal traffic
False Negative - does not set off alert and it is attack traffic

Question 21

Signature Matching

Answer 21

Detect pattern/detects on existing patterns

Will not detect on new patterns, polymorphic malware, or encrypted traffic

Question 22

Protocol Behavior

Answer 22

detects protocol, syn, syn-ack, ack

False positives on complex/non-standard protocols

Question 23

Honeypot

Answer 23

designed to be hacked into/public facing

Question 24

Security Information and Event Management (SIEM)

Answer 24

Devices to view logs for events that are triggered

Question 25

Audit Logs

Answer 25

Process: must be reviewed

Question 26

Audit Trails

Answer 26

Individual conducting Transactions
Date
Time
Location(workstation)

Question 27

Preparing Incidents

Answer 27

Critical decisions must be made before it happens:
pursue legal actions
what actions are authorized to be taken
Understand root cause or reimage/revert
Allowed to attack attackers to persist gain intelligence
templates needs to be built for data gathering

Question 28

Security Incidents: External Attacker

Answer 28

attacking back is a bad idea

IP is a pivot point so might not be the actual attacker IP

Question 29

Security Incidents: External Attacker Logs

Answer 29

Attackers will erase their tracks

Look for all systems that might have been connected to all offending IP addresses

Question 30

Security Incidents: Incident Handling

Answer 30

Preparation
Detection (Identification)
Response (Containment)
Mitigation (Eradication)
Reporting
Recovery
Remediation
Lessons learned

Question 31

Security Incidents: Detection

Answer 31

Do not jump to conclusion
Notify the correct people
use help desk to track trouble tickets and problem
Need primary handler

Question 32

SMART Guidelines

Answer 32

Specific
Measurable
Achievable
Realistic
Timely

Question 33

Security Incidents: Response

Answer 33

Incident handler should not make things worse
Secure the area
Make a forensic backup
Pull system off the network

Question 34

Security Incidents: Mitigation

Answer 34

Fix system before putting it back online
Determine cause & symptoms
Improve defense 
Perform vuln analysis
Analogy (Car accident):
Response - EMT stability patient
Mitigation - Doctor heal patient

Question 35

Security Incidents: Reporting

Answer 35

Occurs through all phases
Need technical & Non-technical reporting
Common mistake: focus on technical report only
Reporting less formal during incident and more formal as it approaches being handled and recovered

Question 36

Security Incidents: Recovery

Answer 36

Do not restore compromised code
validate system
monitor: make sure the attacker does not come back in

Question 37

Security Incidents: Remediation

Answer 37

Occurs in phases
Short term - change pw of affected users/patching affect systems
Long term - reconfig systems to use dual factor auth
improve org patching process

Question 38

Security Incidents: Lesson Learned

Answer 38

conduct lessons-learned meeting
send recommendations to management (ask for money, resources, etc..)
Conduct follow up meeting

Question 39

Forensic Investigation

Answer 39

Thorough and detailed analysis
greater expectation that legal system could be involved
presumes a violation might have been committed

Question 40

Incident Response

Answer 40

immediate limiting of averting operation impact

Question 41

Types of evidence

Answer 41

Direct - first hand witness
Circumstantial - testimony from first hand witness of circumstances related to the legal matter
Expert - opinion/interpretation from expert

Question 42

Hearsay

Answer 42

second hard, rather than direct
Business records - 2nd hand
Disk/memory are not treated as hearsay

Question 43

Chain of custody

Answer 43

integrity & authenticity
Document time, location, & manner of collection
specify individual responsible for control of evidence
Employ tamper resistance/evidence storage
Attestation
Ensure chain of evidence control can be reviewed

Question 44

EDiscovery

Answer 44

All data gets handed over, NO EXCEPTION

Question 45

RAID 0

Answer 45

double of in size (stripe) - write on disk A, then disk B and so on and so on
No redundancy

Question 46

RAID 1

Answer 46

Mirroring

Question 47

RAID 2

Answer 47

Needs 39 disk (32 disk for data, 7 for error recovery)

Question 48

RAID 3/4

Answer 48

RAID 3- byte level
RAID 4- block level
dedicated parity drive

Question 49

RAID 5

Answer 49

Block level
Striping of data across disk
Parity information striped across disk

Question 50

RAID 6

Answer 50

Like RAID 5, block level

Double the parity

Question 51

Electronic vaulting

Answer 51

batch processing

send data to remote server

Question 52

Remoting Journaling

Answer 52

transmitting data in real time to backup storage

think of SQL trans log

Question 53

Database Shadowing

Answer 53

same as remote journaling

storing duplicate data on multiple remote storage devices

Question 54

Disk duplexing

Answer 54

disk controller is duplicated

Question 55

Backup Concept: Full Backup

Answer 55

Full backup

Question 56

Backup Concept: Incremental Backup

Answer 56

backup files that have been created/modified since last backup
Set archive bit to 0
Changes from the previous day
need a lot of tape to restore

Question 57

Backup Concept: Differential Backup

Answer 57

backup files that have been created/modified since last backup
does not set archive bit to 0
Only need last full backup and the differential tape
Backup only changes from Sunday to the previous day, not day to day comparison

Question 58

Business Continuity Plan (BCP)

Answer 58

business remain viable even in the face of disaster

NIST SP800-34 REV1

Question 59

Continuity of Operations (COOP)

Answer 59

Subset of BCP

recover critical functions rapidly

Question 60

Disaster Recovery Plan (DRP)

Answer 60

detailed steps to restore critical information and systems

BRP long term, DRP short term

Question 61

Recovery Time Objective (RTO)

Answer 61

measure of when the system will be back online

Question 62

Work Recovery Time (WRT)

Answer 62

length of time after hardware/software restored to when normal operations are able to resume

Question 63

Maximum Tolerable Downtime

Answer 63

MTD = Recovery Time Objective (RTO) x Work Recovery Time (WRT)

Question 64

Recovery Point Objective

Answer 64

amount of data that be lost for a critical function

Question 65

Site Recovery Strategies

Answer 65

Self-Service - handle disruption within current facilities
Reciprocal Agreement - agreement with another
entity to help one another during disruption
Alternate Sites: Hot, warm, cold, hybrid, mobile

Question 66

Alternate Sites

Answer 66

Hot - fully equipped and staffed
Warm - pre-equip but not ready to go
Cold - empty facility
Hybrid - combination of hot/cold/warm - Hot/Cold - Immediate failover/long-term disaster use cold site
Mobile- think of office on wheels
Multiple processing site - mirror location, different locations - think mirror

Question 67

Read-Through, checklist, consistency testing

Answer 67

reviewing plan to ensure all areas are covered

Question 68

Structural Walk through

Answer 68

step through plans looking for errors or false assumptions

Question 69

Simulation/Tabletop

Answer 69

test with mock up scenarios

Question 70

Parallel

Answer 70

recover to alternate site while main site is running

Question 71

Full Interruption

Answer 71

full fail over to alternate site

Question 72

Training (BCP)

Answer 72

how to operate alternate site
how to start emergency power
how to perform a restorative backup

Question 73

Physical security & safety

Answer 73

Safety #1
In event of disaster
Personnel safety
Authorized access
Equipment protection
Information protection
Availability