Domain 6 - Security Operations

Question 1

concepts in security assets and testing

Answer 1

1. Security control testing
2. Collect security process data
3. Analyze reports and test outputs
4. Internal and third-party audits

Question 2

vulnerability assessment, penetration testing, log reviews, NIST SP 800-92, synthetic transactions, code review and testing, misses case testing, test coverage, interface testing

Answer 2

security control testing topics

Question 3

An absence or weakness of a countermeasure that is in place

Answer 3

vulnerability

Question 4

Three categories:

1. Personnel testing: review standard practices and procedures that users follow.
2. Physical testing: review facility and perimeter protections.
3. System and network testing: review systems, devices, and network topology.

Answer 4

vulnerability assessment

Question 5

These include Nessus, open vulnerability assessment system (Open VAS), Core Impact, Expose, GFI Lan Guard, Qualys Guard, Microsoft Baseline Security Analyzer (MBSA)

Answer 5

vulnerability assessment applications

Question 6

metrics for vulnerability assessment tools

Answer 6

accuracy, reliably, scalability, and reporting

Question 7

This results in time spent researching a non-exisiting issue.

Answer 7

false positive

Question 8

These are serious because it means the scanner failed to identify an issue that uses a serious security risk.

Answer 8

false negative

Question 9

The goal of this ethical hacking test is to simulate an attack to identify any threats that can stem from internal or external resources planning to exploit the vulnerabilities of a system or device. Internal and external test should be performed.

Answer 9

penetration test

Question 10

penetration testing steps

Answer 10

1. Document information about the target devices/system.
2. Gather information about a hack method agains the target system/device. Perform port scans.
3. Identify the known vulnerabilities of the target system/device.
4. Execute attacks agains the target system/device to gain user and privilege access.
5. Document the results of the findings and report the finding to management, with suggestions for remediation.

Question 11

Blind Test: limited or publicly available knowledge, known to the tester and the organization. It simulated the actual test.

Double-Blind Test: The organization and team does not know the test is coming. It requires equal effort by security and testing teams.

Target Test: Security and testing team both known about the test and have ben given all details about systems and devices. It is the easiest to complete but results in an incomplete picture.

Answer 11

penetration testing strategies

Question 12

The team is given limited knowledge of the network systems and devices and publicly available information is known. The organization’s security team knows the attack/test is coming. The test requires more effort by t the testing team and the team must simulate an actual attack.

Answer 12

blind test

Question 13

This is the same as blind test but the organization doesn’t now the test is coming. Only a few senior people know the test will occur, and they do not share this information. The test requires both the security and testing teams to use more effort to simulate the attack.

Answer 13

double-blind test

Question 14

Both the testing team and the organization security team are given the maximum information about the network and they type of attack that will occur. This is the easiest test to perform but it only gives a partial picture of the organization’s security.

Answer 14

target test

Question 15

Zero-knowledge test: closed, black-box, no information on the organizations network, any means is used to test.

Partial-knowledge test: partial-limited testing with set boundaries; team has public knowledge.

Full-Knowledge tests: Full knowledge is known about the organization’s network. Focus is on what attacks can occur.

Answer 15

penetration test categories

Question 16

The team gets no information regarding the organization’s network. The testing team can use any means available to obtain information about he organization’s network. This is also referred to as “closed” or black-box testing.

Answer 16

zero-knowledge test

Question 17

Team is given public knowledge about the organization’s network. Boundaries might be enforced or set for this type of test.

Answer 17

partial-knowledge test

Question 18

The team is given all details about the organization’s network. Test is focused on what attacks can be carried out.

Answer 18

full-knowledge test

Question 19

Penetration testing applications: Metasploit, Wireshark, Core Impact, Nessus, Back Track, Cain and Able, Kali Linux, John the Ripper. These are:

Answer 19

1. Research tools need to carry out testing.
2. Select the right individual to perform the test.
3. Select the right individual to perform the test.
4. Use manual as well as automated method to test.

Question 20

1. Recording of events that occur on an organizational asset, systems, devices, network or facilities.
2. Different types of logs for different types of events.
3. Logs help identify security incidents, policy violations, and fraud.
4. logs are stored in detail for a specified amount of time for auditing.
5. Available for: forensic analysis, investigations, baselines, trends, to identify long-term problems.
6. NIST SP 800-92 and NIST SP 800-137 set the standards for this process

Answer 20

log reviews

Question 21

This is referred to as effective log management. It is a guide to the security of log management. It establishes policies and procedures for log management. It prioritizes log management appropriately though the organization. It creates and maintains a log management infrastructure and provides proper support for all stuff with log management responsibilities.

Answer 21

NIST SP 800-92

Question 22

General functions: log parsing, even filtering, and event organization.

Storage: log rotation, log archival, log reduction, log conversion, log normalization, and log file integrity checking.

Log Analysis: event correlation, log viewing, and log reporting.

Log Disposal: log clearing

Answer 22

common log management infrastructure components

Question 23

This is a simple framework for log entry, generation, storage, and transfer, that any operating system, security software, or application could us for log maintenance. There are three parts to the type of log:
Part I: Specifies the facility and severity as numeric values.
Part II: Time stamps and the host name or IP address of the source of the log.
Part III: The actual log message content.

IETF RFC 3195 describes implantation of greater syslog security and supporting of CIA.

Answer 23

syslog

Question 24

This allows administrator to consolidate all security logs so they can perform analysis in all logs from a single resource rather than having to analyze each log on its separate resources. Two type of this type of support include: Agentless and Agent-Based. It also supports log sources, operating systems, security software, application servers, we/email severs, physical security control devices, such as badge readers. It does not support syslog.

Answer 24

security information and event management (SIEM)

Question 25

Agents don’t need to be installed / configured on each host. However, there is a lack of filtering at the host level; causes more data to be transferred.

Answer 25

Advantages and disadvantages of SIEM-Agentless

Question 26

Hosts and data reside on the SIEM server. Some of these servers PULL data from host, with the server authenticating each host to regularly retrieve logs.
Some hosts PUSH data to the SIEM service; each host authenticates sever, transferring logs regularly. Servers perform event filtering and aggregation and log normalization and analysis in collected logs.

Answer 26

SIEM-Agentless

Question 27

An agent program is installed on the host to perform event filtering and aggregation and log normalization for a particular type of log. The host then transmits the normalized log data to a SIEM server, on a real-time, or near real-time basis for analysis/storage. Multiple agents may need to be installed if a host has multiple logs of interests. Some of these offer support for syslog and SNMP type logs. Some support for custom created agents to handle unsupported log sources.

Answer 27

SIEM-Agent-Based

Question 28

This is a type of proactive monitoring for website and user activity. It provides insight into the availability and performance of an application. It warns of potential issues before users experience any performance degradation. It uses external agents to run scripted transactions agains an application.

Answer 28

synthetic transactions

Question 29

This is passive monitoring. A type of monitoring that capture and analyzes eery transaction of very application or website user. It is the opposite of synthetic transaction and cuts through the guesswork to see exactly how users are interacting with the application.

Answer 29

real user monitoring (RUM)

Question 30

This must occur throughout the life-cycle of the entire system and application. The goal is to identify bad programming patterns, security misconfigurations, functional bugs, and logic flaws. The plan/design phase test architecture security and threat modeling. The development phase test/reviews static source code, manual code analysis, statistic binary code, manual binary review. Once an application is deployed, this process involves: penetration testing, vulnerability scanning, and fuzz testing.

Answer 30

code review and testing

Question 31

In these types each line of the code is reviewed before the software is deployed.
Over-the-shoulder: the developer literally looks over the shoulder as the author walks through the code line by line.
Email pass-around: Source code is emailed to reviewers automatically after the code is checked in.
Pair programming: Two authors develop code together at the same workstation.
Tool-assisted code review: Authors and reviewers use tools designed for peer code review.

Answer 31

formal code review types

Question 32

This is part of code review and testing. No internal details are known prior to this test.

Answer 32

black box testing

Question 33

This is part of code review and testing. Source code is known prior to the test

Answer 33

white box testing .

Question 34

This is also referred to as negative testing. This type of testing test an application to ensure the application can handle invalid input or unexpected behavior to ensure the application will not crash. It is also used to improve the quality of the application by identifying its weak points.

Answer 34

misuse case testing

Question 35

misuse case testing parameters

Answer 35

1. Required fields must be populated.
2. Fields with a defined data type can only accept data that is the required data type.
3. Fields with character limits allow only the configured number of characters.
4. Fields with a defined date range accept only data with that date range.
5. Fields accept only valid data.

Question 36

Another term for misuse testing.

Answer 36

negative testing

Question 37

This uses test cases that are written against the application requirement specifications. Code doesn’t need to be seen by those writing the test case. Usually the test is performed by the application developer as part of the unit testing. Quality assurance groups use the test results to indicate test metrics and or coverage according to the test plan. The test can not test what has not been written.

Answer 37

test coverage analysis

Question 38

This type of testing evaluates whether an application systems or components correctly pass data control to one another. It verifies whether module interactions are working properly and errors are handled correctly. This type of testing should test interfaces for clients, servers, remote, GUI, APIs, external/internal, and physical.

Answer 38

interface testing

Question 39

NIST SP 800-137, account management, management review, key performance and risk indicators, backup verification data, training and awareness, disaster recovery and business continuity.

Answer 39

collect security process data - concepts

Question 40

This is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organization risk management decisions. [collect security process data]

Answer 40

NIST SP 800-137 Information Security Continuous monitoring (ISCM) for Federal Information Systems and Organizations

Question 41

A program that involves maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

Answer 41

information security continuous monitoring (ISCM)

Question 42

This is important because it involves the addition and or deletion of accounts that are granted access to systems or networks. It involves change the permissions and or privileges granted to accounts. Non-monitored accounts can lead to fraudulent activities. Requirements include: two persons for controls, administrators alone create accounts, a second person assigns account the appropriate levels of permission or privileges. Escalation involves the user getting more permissions based on new job duties or a job change. Revocation involves an account being closed or deleted due to an employee leaving the organization.

Answer 42

accounts management

Question 43

This occurs when the user’s account is granted more permissions base one job duties, complete job change. It involves fully analyzing the user’s needs prior to changing current permissions and privileges so the user has only what they need for the job. This requires separation of duties. For example, a user retains permissions to print checks, then they promote and can write checks. Fraud can occur if they can both write and print check.

Answer 43

account management and escalation

Question 44

This occurs when the employee or user leaves the organization. Review what “object” belong to the account to avoid deleting objects that may be needed by other users; or users may lose access. Better to disable the account for a time of review before complete deletion. Review / distinguish between employees who leave or are terminated.

Answer 44

account management and revocation

Question 45

This requires a review of all process and should be mandatory. Guidelines and procedures should be established. This review should be timely and include minor issues, which could become major breaches.

Answer 45

management review

Question 46

Allows the organization to identify where risks are lily to occur. It is used to determine levels as normal, below normal, or above normal. This uses NIST frameworks: framework core, framework profiles, and framework implementation tiers.

Answer 46

key performance and risk indicators

Question 47

This is an NIST framework for improving critical infrastructure. It is a set of cybersecurity actives, outcome, and informative references that are common for guidance to develop organization profiles.

Answer 47

Framework Core

Question 48

This is an NIST framework for improving critical infrastructure. This helps to align cybersecurity activities with its business requirements, risk tolerance, and resources.

Answer 48

Framework Profiles

Question 49

This is an NIST framework for improving critical infrastructure. Provides a mechanism to view and or understand characteristics of their approach to managing cybersecurity risks.

Answer 49

Framework Tiers

Question 50

Back up all collected data. Have appropriate backup policies in place for backup and restore for all security processes. Backup correctly or lose data. Test the backup and restore procedures on a regular basis.

Answer 50

backup verification data

Question 51

Everyone in the organization needs to have an understanding of the importance of the security training and testing program.

Answer 51

Training and awareness, disaster recovery, and business continuity.

Question 52

Personnel should understand manual reporting can be done as part of the security assessment and testing. Personnel may need special training on how to run manual reports. Reports have to be done in a timely fashion.
High level management: Needs a summary of reports.
Technical Personnel: Need detailed reports to implement appropriate controls.

Answer 52

analyze reports and test outputs

Question 53

Guidelines to consider as part of the security plan include: SAS 70, SSAE 16, SOC1 Type 1 Report, and SOC1 Type 2 Report. The processes include:

1. Perform annual audits to establish security baselines.
2. Determine objectives for audits and share with auditors.
3. Set ground rules for audit to include dates, times set for before and after the audit.
4. Choose auditors who have security experience.
5. Involve business unit managers early in the process.
6. Ensure auditors rely on experience not just checklists.
7. Ensure that the audit is conducted properly.
8. Ensure the auditor’s reports reflects risks that the organization has identified.
9. Ensures that the audit is conducted properly.
10. Ensure that the audit covers all systems and all policies and procedures.
11. Examine the report when the audit is complete.

Answer 53

internal and third-party audits considerations

Question 54

This provides auditors information / verification about data center controls and processors related to users and their financial reporting. Ensures controls and processes are actually being used. It is an older standard. SSAE 16 is the new standard resulting in SOC1, SOC2, and SOC3.

Answer 54

Statement on Audits 70 (SAS 70)

Question 55

Pertains to SOC Type 1 report and SOC Type 2 report. Audit guidelines that verifies the controls and processes and also requires a written assertion regarding the design an derating effectiveness of the controls being revived.

Answer 55

Statement on Standards for Attestation Engagement (SSAE) 16

Question 56

Focuses on the auditor’s opinion of the accuracy and completeness of the data center management’s design of controls, systems, and or service.

Answer 56

SSAE 16, SOC 1, Type 1 Report

Question 57

Includes the Type 1 report as well as an audit of the effectiveness of controls over a certain time period, between six months to a year.

Answer 57

SSAE 16, SOC 1, Type 2 Report

Question 58

Provides benchmarks for controls related to the security, availability, processing integrity, confidentiality, and or privacy of a system and its information. Includes service auditor testing and results. It is used by management and regulators and is shared under the NDA. It reports on security, availability, processing integrity, confidentiality, or privacy controls.

Answer 58

SSAE 16, SOC 2

Question 59

This reports on: security, availability, processing integrity, confidentiality, or privacy controls. It is publicly available to anyone. It benchmarks controls related to those mentioned above on a system and its information. This report provides the system description and auditor’s opinion. It is used for general purposes. It provides a level of certification for data center operators that assures data center users of facility security, high availability, and process integrity.

Answer 59

SSAE 16, SOC 3

Question 60

Occurs when a user changes jobs within an organization and gains more user permissions than is necessary for the job duties.

Answer 60

authorization creep

Question 61

Two most important configurations for all user accounts.

Answer 61

strong passwords and least privilege