Security Operations (OPS)

Question 1

Acoustical Detection

Answer 1

Microphones, vibrations sensors

Question 2

Admissible Evidence

Answer 2

Relevant, sufficient, reliable, does not have to be tangible

Question 3

Alarm filtering

Answer 3

The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks

Question 4

Alert/Alarm

Answer 4

A signal suggesting a system has been or is being attacked.

Question 5

Analysis

Answer 5

Systematic assessment of threats and vulnerabilities that provides a basis for effective management of risk.

Question 6

Automatic Recovery

Answer 6

When resolving a single failure (though system administrators are needed to resolve additional failures

Question 7

Automatic Recovery Without Undo Loss

Answer 7

Higher level of recovery defining prevention against the undue loss of protected objects

Question 8

Auxiliary Station Systems

Answer 8

Alarm to local fire or police

Question 9

Backup Storage Media

Answer 9

Tape: sequential, slow read, fast write 200GB an hour, historically
cheaper than disk (now changing), robotic libraries
Disk: fast read/write, less robust than tape
Optical drive: CD/DVD. Inexpensive
Solid state: USB drive, security issues, protected by AES

Question 10

Best Evidence

Answer 10

Primary: used at the trial because it is the most reliable.
Original documents are used to document things such as contracts

Question 11

Bind Variables

Answer 11

Placeholders for literal values in SQL query being sent to the database on a server; Used to enhance performance of a database

Question 12

Business Attacks

Answer 12

Focus on illegally obtaining an organization’s confidential information. The use of the information gathered usually causes more damage than the initial event itself.

Question 13

Central Stations

Answer 13

Less than 10mins travel time for e.g. an private security firm

Question 14

Chain of Custody

Answer 14

Collection, analysis and preservation of data
Forensics uses bit-level copy of the disk

Question 15

Change Control

Answer 15

Maintaining full control over requests, implementation, traceability, and proper documentation of changes.

Question 16

Cipher Lock

Answer 16

Electrical

Question 17

Circumstantial Evidence

Answer 17

Used to help assume another fact
Cannot stand on its own to directly prove a fact

Question 18

Civil Law

Answer 18

Europe, South America

Question 19

Classification

Answer 19

The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification.

Question 20

Classification Scheme

Answer 20

organization way of classifying data by factors such as criticality, sensitivity and ownership.

Question 21

Clearing

Answer 21

Overwriting media to be reused

Question 22

Combination Lock

Answer 22

3 digits with wheels

Question 23

Common Law

Answer 23

USA, UK Australia Canada (judges)

Question 24

Computer Crime Laws

Answer 24

3 types of harm:

unauthorized intrusion

unauthorized alteration or destruction

malicious code

Question 25

Conclusive Evidence

Answer 25

Irrefutable, cannot be contradicted
Requires no other corraboration

Question 26

Confidence value

Answer 26

A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack

Question 27

Configuration

Answer 27

Collection of component CI’s that make another CI

Question 28

Configuration item (CI)

Answer 28

 Component whose state is recorded

Question 29

Containment

Answer 29

Mitigate damage by isolating compromised systems from the network.

Question 30

Corroborative Evidence

Answer 30

Supports or substantiates other evidence presented in a case

Question 31

Darknet

Answer 31

Unused network space that may detect unauthorized activity

Question 32

Data Custodian

Answer 32

Individuals and departments responsible for the storage and safeguarding of computerized data.

Question 33

Data Dictionary

Answer 33

A database that contains the name, type, range of values, source and authorization for access for each data element

Question 34

Data Haven

Answer 34

Is a country or location that has no laws or poorly enforced laws

Question 35

Data Integrity

Answer 35

The property that data meet with a priority expectation of quality and that the data can be relied upon.

Question 36

Data Leakage

Answer 36

Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes.

Question 37

Data Loss Prevention (DLP)

Answer 37

Systems attempt to detect and block exfiltration attempts. These systems have the capability of scanning for keywords and patterns.

Question 38

Data Owner

Answer 38

Individuals, normally managers or directors, who have responsibility for the integrity, accurate reporting and use of computerized data.

Question 39

Database Shadowing

Answer 39

Real-time data backup ( Data Mirroring)

Question 40

Debriefing / Feedback

Answer 40

External communications

Question 41

Degauss

Answer 41

Protection of stored or displayed information by removal/reduction of the magnetic field (demagnetization).

Question 42

Detection

Answer 42

Identification and notification of an unauthorized and/or undesired action

Question 43

Device Lock

Answer 43

Bolt down hardware

Question 44

Differential backup

Answer 44

Only modified files, doesn’t clear archive bit. Advantage: full and only last one needed, Intermediate time between.

Question 45

Direct Evidence

Answer 45

Can prove fact by itself and does not need any type of backup.
Testimony from a witness; one of their 5 senses.
Oral: case can’t stand on it alone
Oral: does not need other evidence to substantiate

Question 46

Electromechanical Detection

Answer 46

 Senses a break or change in a circuit magnets pulled lose, wires door, pressure pads

Question 47

Electronic Vaulting

Answer 47

Periodic, automatic and transparent backup of data in bulk.

Question 48

Emergency Restart Failure

Answer 48

Occurs after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments

Question 49

Endpoint-based DLP

Answer 49

Can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.

Question 50

Enticement

Answer 50

The legal action of luring an intruder, like in a honeypot

Question 51

Entitlement

Answer 51

Refers to the amount of privileges granted to users, typically when first provisioning an account. A user audit can detect when employees have excessive privileges

Question 52

Entrapment

Answer 52

The illegal act of inducing a crime; the individual had no intent of committing the crime at first

Question 53

Espionage

Answer 53

Malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization. Often with the intent of disclosing or selling the information to a competitor or other interested organization (such as a foreign government). Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization. Countermeasures are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

Question 54

Evidence

Answer 54

Must be preserved and identifiable

Sufficient –persuasive enough to convince one of its validity
Reliable –consistent with fact, evidence has not been tampered with or modified
Relevant –relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts
Permissible – lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
Preserved and identifiable – collection, reconstruction
Identification labeling, recording serial number etc.
Evidence must be preserved and identifiable

Question 55

Evidence Lifecycle

Answer 55

1. Discovery
2. Protection
3. Recording
4. Collection and identification
5. Analysis
6. Storage, preservation, transportation
7. Present in court
8. Return to owner

Question 56

Exigent Circumstances

Answer 56

Allows officials to seize evidence before it’s destroyed (police team fall in)

Question 57

Fail Closed/Secure

Answer 57

 Most conservative from a security perspective

Question 58

Fail safe system

Answer 58

Program execution is terminated and system protected from hardware or software compromise occurs DOORS usually

Question 59

Fail soft

Answer 59

Or resilient system: reboot, selected, non-critical processing is terminated

Question 60

Failover

Answer 60

 Switches to hot backup

Question 61

Failure Preparation

Answer 61

Backup critical information thus enabling data recovery

Question 62

False attack stimulus

Answer 62

The event signaling an IDS to produce an alarm when no attack has taken place

Question 63

False negative

Answer 63

A failure of an IDS to detect an actual attack

Question 64

False positive

Answer 64

An alert or alarm that is triggered when no actual attack has taken place

Question 65

Fault tolerance

Answer 65

Mitigation of system or component loss or interruption through use of backup capability.

Question 66

Financial Attacks

Answer 66

Carried out to unlawfully obtain money or services.

Question 67

Full Backup

Answer 67

All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming

Question 68

Function Recovery

Answer 68

System can restore functional processes automatically

Question 69

Grudge Attacks

Answer 69

Carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person’s reputation.

Question 70

Hackers and Crackers

Answer 70

 Want to verify their skills as intruders

Question 71

Hacktivists

Answer 71

Often combine political motivations with the thrill of hacking.

Question 72

Hardware/ Embedded Device Analysis

Answer 72

Review the contents. This may include a review of Personal computers & Smartphones

Question 73

Hearsay

Answer 73

 Second-hand data not admissible in court

Question 74

Hearsay Evidence

Answer 74

Something a witness hears another one say.

Business records and all that’s printed or displayed. Exception: audit trails and business records when the documents are created in the normal course of business.

Question 75

Highly Confidential

Answer 75

Information that, if made public or even shared around the organization, could seriously impede the organization’s operations

Question 76

Host-based IDS (HIDS)

Answer 76

Monitors activity on a single computer, including process calls and information recorded in firewall logs. Often examines events in more detail than NIDS, can pinpoint specific files compromised in an attack. Can track processes employed by the attacker. A benefit over NIDSs is that it can detect anomalies on the host system.

Question 77

Hot Spares

Answer 77

Redundant component that provides failover capability in the event of failure or interruption of a primary component.

Question 78

Hypervisor

Answer 78

Software component that manages the virtual components. Adds an additional attack surface, so it’s important to ensure it is deployed in a secure state and kept up-to-date with patches, controls access to physical resources

Question 79

Incident

Answer 79

Event or series of events that adversely impact the ability of an organization to do business; suspected attack

Question 80

Incident handling

Answer 80

A documented battle plan for coordinating response to incidents.

Question 81

Incident response process

Answer 81

Detect
Respond
Report
Recover
Remediate
Review

Question 82

Incremental Backup

Answer 82

Only modified files, archive bit cleared, Advantage: least time and space, Disadvantage: first restore full then all incremental backups, thus less reliable because it depends on more components

Question 83

Internal Use only

Answer 83

loss would inconvenience the organization but disclosure is unlikely to result in financial loss or serious damage to credibility.

Question 84

Interrogation

Answer 84

Evidence retrieval method, ultimately obtain a confession

Question 85

Interviewing

Answer 85

 Gather facts and determine the substance of the case.

Question 86

Intrusion

Answer 86

Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources.

Question 87

Intrusion Detection System (IDS)

Answer 87

Monitors recorded information and real-time events to detect abnormal activity indicating a potential incident. Automates the inspection of logs and real-time events to find attempts and failures. An effective method of detecting many DoS and DDoS attacks. Can recognize attacks that come from external connections, such as from the Internet, and attacks that spread internally such as a malicious worm. Responds by sending alerts or raising alarms. In some cases can modify the environment to stop an attack.

A primary goal is to provide a means for a timely and accurate response to attacks. Intended as part of a defense-in-depth security plan. It will work with and compliment other security mechanisms but does not replace them.

Question 88

Intrusion Prevention System (IPS)

Answer 88

Includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions. If desired, administrators can disable these extra features, essentially causing it to function as an IDS.

Question 89

Islamite and other Religious Laws

Answer 89

 ME, Africa, Indonesia

Question 90

JBOD

Answer 90

Most basic type of storage

Question 91

Lighting Continuous

Answer 91

Evenly distributed

Question 92

Lighting Controlled

Answer 92

No bleeding over no blinding

Question 93

Lighting Glare Protection

Answer 93

 Against blinding

Question 94

Lighting Responsive Areas Illumination

Answer 94

IDS detects activities and turns on lightning

Question 95

Lighting Standby

Answer 95

Timers

Question 96

Line Supervision Check

Answer 96

If no tampering is done with the alarm wires

Question 97

Local Alarms

Answer 97

Audible at least 4000 feet

Question 98

Locard’s principle

Answer 98

every time you make contact with another it results in an exchange of materials for both physical and digital evidence.

Question 99

Log

Answer 99

Record of system activity, which provides for monitoring and detection.

Question 100

Manual Recovery

Answer 100

 System administrator intervention is required to return the system to a secure state

Question 101

Media Analysis

Answer 101

A branch of computer forensic analysis. Involves the identification and extraction of information from storage. This may include the following: Magnetic (e.g., hard disks, tapes) Optical (e.g., CDs, DVDs, Blu-ray discs) Memory (e.g., RAM, solid state storage)

Techniques used may include the recovery of deleted files from unallocated sectors of the physical disk, the live connection to a computer system (especially useful when examining encrypted), and the static examination of forensic images of storage.

Question 102

Military or Intelligence Attack

Answer 102

Designed to extract secret information.

Question 103

MOM

Answer 103

Means, Opportunity and Motive
Used in determining suspects

Question 104

Monitor

Answer 104

Continuous surveillance, to provide for detection and response of any failure in preventive controls.

Question 105

Motion Detector

Answer 105

wave pattern movement sensors

Question 106

MTBF

Answer 106

Mean Time Between Failures (Useful Life) = MTTF + MTTR

Question 107

Network Analysis

Answer 107

Often depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log activity. These include: Intrusion detection and prevention system logs, data captured by a flow monitoring system, Packet captures deliberately collected during an incident. Logs from firewalls and other security devices. Collect and correlate information from these disparate sources and produce as comprehensive a picture of activity as possible.

Question 108

Network Attached Storage (NAS)

Answer 108

Server optimized for providing file-based data storage to the network. Unlike a File Server, a NAS unit has no input or output devices, and the OS is dedicated for providing storage services.

Question 109

Network-based DLP

Answer 109

Scans all outgoing looking for specific variables. If a user sends out a restricted file, the system will detect it and prevent it from leaving the organization. Sends an alert, such as an email to an administrator.

Question 110

Network-based IDS (NIDS)

Answer 110

Monitors and evaluates network activity to detect attacks or event anomalies. Cannot monitor content of encrypted traffic but can monitor other packet details. Just one can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

Question 111

Noise

Answer 111

Data or interference that can trigger a false positive

Question 112

Notebook

Answer 112

Most preferred in the legal investigation; pages are attached to a binding.

Question 113

Notification

Answer 113

Communication of a security incident to stakeholders and data owners.

Question 114

Object Reuse

Answer 114

Utilization after initial use

Question 115

Opinion Rule

Answer 115

Requires witnesses to testify only about the facts of the case; cannot be used as evidence in the case.

Question 116

Parallel Tests

Answer 116

Involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also

Question 117

Passive Infrared Detection

Answer 117

Through sensing changes in temperature

Question 118

Photoelectric Detector

Answer 118

Light beams interrupted (as in an store entrance)

Question 119

Prefabricated Building

Answer 119

A very cold site.

Question 120

Preset Lock

Answer 120

Comes with door

Question 121

Prevention

Answer 121

Controls deployed to avert unauthorized and/or undesired actions.

Question 122

Programmable Lock

Answer 122

Combination or electrical lock

Question 123

Proprietary

Answer 123

Define the way in which the organization operates.

Question 124

Proprietary Systems

Answer 124

Owned and operated by the customer.
System provides many of the features in-house

Question 125

Prototyping

Answer 125

Customer view taken into account

Question 126

Proximity or Capacitance Detector

Answer 126

Magnetic field shows presence around an object

Question 127

Pseudo Flaw

Answer 127

False vulnerability in a system that may attract an attacker

Question 128

Purging

Answer 128

 Degaussing or overwriting to be removed

Question 129

RAID Levels

Answer 129

RAID 0 Striped, one large disk out of several. Improved performance but no fault tolerance
RAID 1 Mirrored drives: fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed
RAID 2 not used commercially. Hammering Code Parity/error
RAID 3 Striped on byte level with extra parity drive. Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives
RAID 4 Same as Raid 3 but striped on block level; 3 or more drives
RAID 5 Striped on block level, parity distributed over all drives. Requires all drives but one to be present to operate hot. Swappable. Interleave parity, recovery control; 3 or more drives
RAID 6 Dual Parity; parity distributed over all drives. Requires all drives but two to be present to operate hot. Swappable.
RAID 7 Same as raid 5 but all drives act as one single virtual disk

Question 130

Raking

Answer 130

Circumvent a pin tumbler lock

Question 131

Recovery

Answer 131

Measures followed to restore critical functions following a security incident.

Question 132

Redundant Array of Independent Drives (RAID)

Answer 132

A group of hard drives working as one storage unit for the purpose of speed and fault tolerance

Question 133

Redundant Servers

Answer 133

Use of a backup server(s) to protect information and essential processes in the event of a primary system failure.

Question 134

Remanence

Answer 134

Potentially retrievable data residue that remains following intended erasure of data.

Question 135

Remote Journaling

Answer 135

Real-time, automatic and transparent backup of data.

Question 136

Response Capability

Answer 136

Policy, procedures, a team

Question 137

Sabotage

Answer 137

Criminal act of destruction or disruption committed against an organization by an employee. It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.

Question 138

Salvage Team

Answer 138

Goes back to the primary site to normal processing environmental conditions. Clean, repair, save what can be saved. Can declare when primary site is available again

Question 139

Script Kiddies

Answer 139

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. The main motivation behind these attacks is the “high” of successfully breaking into a system. Service interruption. An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Website defacements common

Question 140

Secondary Evidence

Answer 140

Copies of documents. Not as strong as best. A copy is not permitted if the original (Best) is available. Oral like Witness testimony

Question 141

Server Clustering

Answer 141

Group of independent servers which are managed as a single system. All servers are online and take part in processing service requests.
All share the same OS and application software vs. grid devices that can have different OSs while still working on same problem.

Question 142

Site policy

Answer 142

Guidelines within an organization that control the rules and configurations of an IDS

Question 143

Site policy awareness

Answer 143

The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity

Question 144

Software Analysis

Answer 144

Conduct forensic reviews of applications or the activity that takes place within a running application. In some cases, conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities. In other cases, review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

Question 145

Software Library

Answer 145

Controlled area only accessible for approved users

Question 146

Storage Area Network (SAN)

Answer 146

A subnetwork with storage devices servicing all servers on the attached network.

Question 147

Subscription Services

Answer 147

Third party, commercial services provide alternate backups and processing facilities. Most common of implementations!

Question 148

System Cold Start Failure

Answer 148

When an unexpected kernel or media failure happens and the regular recovery procedure

Question 149

System Reboot Failure

Answer 149

System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources

Question 150

System Recovery

Answer 150

1. Rebooting system in single user mode or recovery console, so no user access is enabled
2. Recovering all file systems that were active during failure
3. Restoring missing or damaged files
4. Recovering the required security characteristic, such as file security labels
5. Checking

Question 151

Terrorist Attacks

Answer 151

Purpose of a terrorist attack is to disrupt normal life and instill fear

Question 152

Thrill Attacks

Answer 152

Launched only for the fun of it. Pride, bragging rights

Question 153

Top Secret

Answer 153

Highly sensitive internal documents that could seriously damage the organization if such information were lost or made public

Question 154

True attack stimulus

Answer 154

An event that triggers an IDS to produce an alarm and react as though a real attack were in progress

Question 155

Trusted Recovery

Answer 155

Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems.

Question 156

Tumbler Lock

Answer 156

Cylinder slot

Question 157

Types of Investigation

Answer 157

• Operational
• Criminal
• Civil
• eDiscovery

Question 158

US Law: 3 Branches

Answer 158

Legislative: writes (statutory laws)
Executive: enforces (administrative laws)
Juridical: interprets laws (makes common laws out of court decisions)

Question 159

US Law: 3 Categories

Answer 159

Criminal: individuals in violation; punishment mostly imprisonment
Civil: wrongs against individual or organization that result in a damage or loss. Punishment can include financial penalties. AKA tort (I’ll Sue You!) Jury decides liability
Administrative/Regulatory: – how industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties

Question 160

Victimology

Answer 160

Why certain people fall prey to crime and how lifestyle affects their chances

Question 161

Warded Lock

Answer 161

Hanging, with a key

Question 162

Raid 6

Answer 162

Does not require a hot spare drive or disk

Question 163

warez

Answer 163

piracy act of copying software from top notch brands and distributing over the Internet

Question 164

colocation cloud

Answer 164

Colocation cloud combines the benefits of colocation and cloud computing to provide a comprehensive solution that addresses the limitations of traditional data management approaches.

Question 165

blue team

Answer 165

defends from attacks

Question 166

red team

Answer 166

attacks

Question 167

white team

Answer 167

handles security incidents