Domain 7 - Security Operations

Question 1

These allow access to objects such as files.

Answer 1

Permissions

Question 2

These refer to the ability to take actions.

Answer 2

Rights

Question 3

the combination of both rights and permissions.

Answer 3

Privileges

Question 4

This imposes the requirement to grant users access only to data or resources they need to perform assigned work tasks.

Answer 4

need to know principle. data = need to know

Question 5

This states that subjects are granted only the privileges necessary to perform assigned work tasks and no more.

Answer 5

principle of least privilege. actions = least privilege

Question 6

This refers to the amount of privileges g t ranted to users, typically when first provisioning an account. In other words, when administrators create user accounts, they ensure the accounts are provisioned with the appropriate amount of resources, and this includes privileges.

Answer 6

Entitlement

Question 7

In the context of least privilege, this refers to the amount of privileges that users collect over time. For example, if a user moves from one department to another while working for an organization, this user can end up with privileges from each department.

Answer 7

Aggregation

Question 8

This extends the trust relationship between the two security domains to all of their subdomains. Within the context of least privilege, it’s important to examine these trust relationships, especially when creating them between different organizations.

Answer 8

Transitive Trust

Question 9

This ensures that no single person has total control over a critical function or system. This is necessary to ensure that no single person can compromise the system or its security. Instead, two or more people must conspire or collude against the organization, which increases the risk for these people.

Answer 9

Separation of duties

Question 10

These models provide fully functional applications typically accessible via a web browser. For example, Google’s Gmail

Answer 10

Software as a Service (SaaS)

Question 11

These models provide consumers with a computing platform, including hardware, an operating system, and applications. In some cases, consumers install the applications from a list of choices provided by the CSP. Consumers manage their applications and possibly some configuration settings on the host. However, the CSP is responsible for maintenance of the host and the underlying cloud infrastructure.

Answer 11

Platform as a Service (PaaS)

Question 12

These models provide basic computing resources to consumers. This includes servers, storage, and in some cases, networking resources. Consumers install operating systems and applications and perform all required maintenance on the operating systems and applications. The CSP maintains the cloud-based infrastructure, ensuring that consumers have access to leased systems.

Answer 12

Infrastructure as a Service (IaaS)

Question 13

What are the 5 steps involved in managing a computer security incident response.

Answer 13

Response, Mitigation, Reporting, Recovery, Remediation

Question 14

This examines the incident to determine what allowed it to happen. For example, if attackers successfully accessed a database through a website, personnel would examine all the elements of the system to determine what allowed the attackers to succeed.

Answer 14

root cause analysis

Question 15

Attacks that prevent a system from processing or responding to legitimate traffic or requests for resources and objects.

Answer 15

Denial-of-service (DoS) attacks

Question 16

This is a common DoS attack. It disrupts the standard three-way handshake used by TCP to initiate communication sessions.

Answer 16

SYN flood attack

Question 17

This is another type of flood attack, but it floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets. More specifically, it is a spoofed broadcast ping request using the IP address of the victim as the source IP address.

Answer 17

smurf attack

Question 18

These are similar to smurf attacks. However, instead of using ICMP, this attack uses UDP packets over UDP ports 7 and 19. This attack will broadcast a UDP
packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim, just as with a smurf attack.

Answer 18

Fraggle attacks

Question 19

This floods a victim with ping requests. This can be very effective when launched by zombies within a botnet as a DDoS attack.

Answer 19

ping flood attack

Question 20

This attack employs an oversized ping packet. Ping packets are normally 32 or 64 bytes, though different operating systems can use other sizes. This attack changed the size of ping packets to over 64 KB, which was bigger than many systems could handle. When a system received a ping packet larger than 64 KB, it resulted in a problem. In some cases
the system crashed.

Answer 20

ping-of-death attack

Question 21

An attacker fragments traffic in such a way that a system is unable to put data packets back together.

Answer 21

teardrop attack

Question 22

This occurs when the attacker sends spoofed SYN packets to a victim using the victim’s IP address as both the source and destination IP address. This tricks the system into constantly replying to itself and can cause it to freeze, crash, or reboot.

Answer 22

land attack

Question 23

This refers to an attack on a system exploiting a vulnerability that is unknown to others.

Answer 23

zero-day exploit

Question 24

Any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.

Answer 24

Malicious code

Question 25

code downloaded and installed on a user’s system without the user’s knowledge.

Answer 25

drive-by download

Question 26

This attack occurs when a malicious user is able to gain a position logically between the two endpoints of an ongoing communication.

Answer 26

man-in-the-middle

Question 27

This means using a modem to search for a system that accepts inbound connection attempts.

Answer 27

War dialing

Question 28

This is the most common method of detection. It uses a

database of known attacks developed by the IDS vendor.

Answer 28

Knowledge-based Detection

Question 29

This type of detection starts by creating a baseline of normal activities and events on the system. Once it has accumulated enough baseline data to determine normal activity, it can detect abnormal activity that may indicate a malicious intrusion or event.

Answer 29

Behavior-based Detection

Question 30

A portion of allocated IP addresses within a network that are not used. It includes one device configured to capture all the traffic into this area of the network. Since the IP addresses are not used, it does not have any other hosts and it should not have any traffic at all.

Answer 30

a darknet

Question 31

An individual computers created as a trap for intruders.

Answer 31

Honeypots

Question 32

Two or more networked honeypots used together to simulate a network.

Answer 32

honeynet

Question 33

false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers. They are often used on honeypot systems to emulate
well-known operating system vulnerabilities. Attackers

Answer 33

Pseudo flaws

Question 34

This system is similar to a honeypot, but it performs intrusion isolation using a different approach. When an IDS detects an intruder, that intruder is automatically transferred to this system. It has the look and feel of an actual network, but the attacker is unable to perform any malicious activities or access any confidential data from within this location.

Answer 34

A padded cell

Question 35

A zero-knowledge team knows nothing about the target site except for publicly available information, such as domain name and company address.

Answer 35

Black-Box Testing

Question 36

A full-knowledge team has full access to all aspects of the target environment. They know what patches and upgrades are installed, and the exact configuration of all relevant devices. If the target is an application, they would have access to the source code.

Answer 36

White-Box Testing

Question 37

A partial-knowledge team that has some knowledge of the target performs gray-box testing, but they are not provided access to all the information.

Answer 37

Gray-Box Testing

Question 38

the process of extracting specific elements from a large collection of data to construct a meaningful representation or summary of the whole.

Answer 38

Sampling

Question 39

This is a form of nonstatistical sampling. It selects only events that exceed a level , which is a predefined threshold for the event. The system ignores events until they reach this threshold.

Answer 39

Clipping

Question 40

This refers to monitoring outgoing traffic to prevent data ex-filtration, which is the unauthorized transfer of data outside the organization.

Answer 40

Egress monitoring

Question 41

the practice of embedding a message within a file. For example, individuals can modify bits within a picture file to embed a message.

Answer 41

Steganography

Question 42

the records created by recording information about events and occurrences into one or more databases or log files. They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability.

Answer 42

Audit trails

Question 43

any component that can cause an entire system to fail.

Answer 43

single point of failure

Question 44

the ability of a system to suffer a fault but continue to operate.

Answer 44

Fault tolerance

Question 45

refers to the ability of a system to maintain an acceptable level of service during an adverse event.

Answer 45

System resilience

Question 46

This is also called striping. It uses two or more disks and improves the disk subsystem performance, but it does not provide fault tolerance.

Answer 46

RAID-0

Question 47

This is also called mirroring. It uses two disks, which both hold the same data. If one disk fails, the other disk includes the data so a system can continue to operate after a single disk fails.

Answer 47

RAID-1

Question 48

This is also called striping with parity. It uses three or more disks with the equivalent of one disk holding parity information. If any single disk fails, the RAID array will continue to operate, though it will be slower.

Answer 48

RAID-5

Question 49

This is also known as RAID 1 + 0 or a stripe of mirrors, and is configured as two or more mirrors (RAID-1) configured in a striped (RAID-0) configuration. It uses at
least four disks but can support more as long as an even number of disks are added. It will continue to operate even if multiple disks fail, as long as at least one drive in each mirror continues to function.

Answer 49

RAID-10

Question 50

a quick instance of an increase in voltage

Answer 50

spike

Question 51

a quick instance of a reduction in voltage.

Answer 51

sag

Question 52

when voltage remains low for a long period of time

Answer 52

brownout

Question 53

If power stays high for a long period of time, it’s called

Answer 53

surge

Question 54

system will default to a secure state in the event of a failure, blocking all access.

Answer 54

fail-secure

Question 55

system will fail in an open state, granting all access.

Answer 55

fail-open

Question 56

Four types of trusted recovery that is relevant to system resilience and listed in Common Criteria

Answer 56

Manual Recovery, Automated Recovery, Automated Recovery without Undue Loss, Function Recovery

Question 57

If a system fails, it does not fail in a secure state. Instead, an administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or system crash.

Answer 57

Manual Recovery

Question 58

The system is able to perform trusted recovery activities to restore itself against at least one type of failure. For example, a hardware RAID provides automate drecovery against the failure of a hard drive but not against the failure of the entire server. Some types of failures will require manual recovery.

Answer 58

Automated Recovery

Question 59

This is similar to automated recovery in that a system can restore itself against at least one type of failure. However, it includes mechanisms to ensure that specific objects are protected to prevent their loss. An example would include steps to restore data or other
objects. It may include additional protection mechanisms to restore corrupted files, rebuild data from transaction logs, and verify the integrity of key system and security components.

Answer 59

Automated Recovery without Undue Loss

Question 60

Systems that support function recovery are able to automatically recover specific functions. This state ensures that the system is able to successfully complete the recovery for the functions, or that the system will be able to roll back the changes to
return to a secure state.

Answer 60

Function Recovery

Question 61

The network capacity available to carry communications.

Answer 61

Bandwidth

Question 62

The time it takes a packet to travel from source to destination.

Answer 62

Latency

Question 63

The variation in latency between different packets.

Answer 63

Jitter

Question 64

Some packets may be lost between source and destination, requiring retransmission.

Answer 64

Packet Loss

Question 65

Electrical noise, faulty equipment, and other factors may corrupt the contents of packets.

Answer 65

Interference

Question 66

standby facilities large enough to handle the processing load of an organization and equipped with appropriate electrical and environmental support systems. They have no computing facilities (hardware or software) preinstalled and also has no active broadband communications links.

Answer 66

Cold sites

Question 67

a backup facility is maintained in constant working order, with a full complement of servers, workstations,
and communications links ready to assume primary operations responsibilities. The servers and workstations are all preconfigured and loaded with appropriate operating system and application software. The data is periodically or continuously updated.

Answer 67

hot site

Question 68

These sites always contain the equipment and data circuits necessary to rapidly establish operations. This equipment is usually preconfigured and ready to run
appropriate applications to support an organization’s operations. However, they do not typically contain copies of the client’s data

Answer 68

warm sites

Question 69

Activation of this type of site usually takes at least 12 hours from the time a disaster is declared.

Answer 69

warm sites

Question 70

a company that leases computer time. They own large server farms and often fields of workstations. Any organization can purchase a contract from them to consume some portion of their processing capacity. Access can be on site or remote.

Answer 70

service bureau

Question 71

two organizations pledge to assist each other in the event of a disaster by sharing computing facilities or other technological resources.

Answer 71

Mutual assistance agreements (MAAs)

Question 72

database backups are moved to a remote site using bulk transfers. The remote location may be a dedicated alternative recovery site (such as a hot site) or simply an offsite location managed within the company or by a contractor for the purpose of maintaining backup data.

Answer 72

electronic vaulting; keyword is batch sending of data. for example every hour.

Question 73

data transfers are performed in a more expeditious manner. Data transfers still occur in a bulk transfer mode, but they occur on a more frequent basis, usually
once every hour and sometimes more frequently. Unlike electronic vaulting scenarios, where entire database backup files are transferred, these setups transfer copies of the database transaction logs containing the transactions that occurred since the previous bulk transfer.

Answer 73

remote journaling- keyword transaction logs

Question 74

the most advanced database backup solution and the most expensive! A live database server is maintained
at the backup site. The remote server receives copies of the database modifications at the same time they are applied to the production server at the primary site. Therefore, the remote server is ready to take over an operational role at a moment’s notice.

Answer 74

Remote mirroring

Question 75

These store a complete copy of the data contained
on the protected device. They duplicate every file on the system regardless of the setting of the archive bit. Once it is complete, the archive bit on every file is
reset, turned off, or set to 0.

Answer 75

Full Backups

Question 76

These store only those files that have been modified
since the time of the most recent full or incremental backup. Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. Once it is complete,
the archive bit on all duplicated files is reset, turned off, or set to 0.

Answer 76

Incremental Backups

Question 77

These store all files that have been modified since the
time of the most recent full backup. Only files that have the archive bit turned on, enabled,or set to 1 are duplicated. However they doe not change the archive bit.

Answer 77

Differential Backups

Question 78

one of the simplest tests to conduct, but it’s also one of the most critical. In this test, you distribute copies of disaster recovery plans to the members of the disaster recovery team for review.

Answer 78

read-through test

Question 79

In this type of test, often referred to as a table-top exercise , members of the disaster recovery team gather in a large conference room and role-play a disaster scenario. Usually, the exact scenario is known only to the test moderator, who presents the details to the team at the meeting. The team members then refer to their copies of the disaster recovery plan and discuss the appropriate responses to that particular type of disaster.

Answer 79

structured walk-through

Question 80

In these tests, disaster recovery team members are presented with a scenario and asked to develop an appropriate response. Some of these response measures are then tested. This may involve the interruption of noncritical business activities and the use of some operational personnel.

Answer 80

Simulation tests

Question 81

These tests involve relocating personnel to the alternate recovery site and implementing site activation procedures. The employees relocated
to the site perform their disaster recovery responsibilities just as they would for an actual
disaster. The only difference is that operations at the main facility are not interrupted. That site retains full responsibility for conducting the day-to-day business of the organization.

Answer 81

Parallel tests

Question 82

These tests operate like parallel tests, but they involve actually shutting down operations at the primary site and shifting them to the recovery site. For obvious reasons, these tests are extremely difficult to arrange, and you often encounter resistance from management.

Answer 82

Full-interruption tests

Question 83

3 requirements to be admissible evidence

Answer 83

Must be relevant to determining a fact, must be material or related to the case, and must be competent or obtained legally

Question 84

This type of evidence consists of things that may actually be brought into a court of law. In common criminal proceedings, this may include items such as a murder weapon, clothing, or other physical objects. In a computer crime case, it might include seized computer equipment, such as a keyboard with fingerprints on it or a hard drive from a hacker’s computer system.

Answer 84

Real evidence

Question 85

This type of evidence includes any written items brought into court to prove a fact at hand. This type of evidence must also be authenticated. For example,
if an attorney wants to introduce a computer log as evidence, they must bring a witness (for example, the system administrator) into court to testify that the log was collected as a routine business practice and is indeed the actual log that the system collected.

Answer 85

Documentary evidence

Question 86

This type of evidence is, quite simply, evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.

Answer 86

Testimonial Evidence

Question 87

a branch of computer forensic analysis, involves the

identification and extraction of information from storage media.

Answer 87

Media Analysis

Question 88

Forensic investigators are also often interested in the activity that tookplace over the network during a security incident. This is often difficult to reconstruct due to the volatility of network data—if it isn’t deliberately recorded at the time it occurs, it generally is not preserved.

Answer 88

Network Analysis

Question 89

What are the three-steps of an incident response process

Answer 89

Detection and identification, Response and reporting, Recovery and remediation

Question 90

The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

Answer 90

The Code of Ethics preamble

Question 91

List the four Code of Ethics canons

Answer 91

Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.

Question 92

a crime (or violation of a law or regulation) that is directed against, or directly involves, a computer.

Answer 92

Computer crime

Question 93

list the six categories of computer crimes.

Answer 93

military and intelligence attack, business attack, financial attack, terrorist attack, grudge attack, and thrill attack.

Question 94

Group of servers that are managed as a single logical system.

Answer 94

Server clustering. Note: not all clusters do load balancing.