Chapter 7 - Security Operations

Question 1

In the even of a security incident, one of the primary objectives of operations staff is to ensure that: A. the attackers are detected and stopped B. there is minimal disruption to the organization’s mission C. appropriate documentation about the event is maintaqined as chain of evidence D. the affected systems are immediately shut off to limit to the impact

Answer 1

B. there is minimal disruption to the organization’s mission

Question 2

Assuming a working IDS is in place, which of the following groups is best capable of stealing sensitive information due to the abscence of system auditing? A. Malicious software B. Hacker or cracker C. Disgruntled employee D. Auditors

Answer 2

C. Disgruntled employee

Question 3

Which of the following provides controlled and un-intercepted interfaces into privliged user functions? A. Ring protection B. Anti-malware C. Maintenance hooks D. Trusted paths

Answer 3

D. Trusted paths

Question 4

The doors of a data center spring open in the event of a fire. This is an example of A. Fail-safe B. Fail-secure C. Fail-proof D. Fail-closed

Answer 4

A. Fail-safe

Question 5

Which of the following ensures constant redundancy and fault tolerance? A. Cold spare B. Warm spare C. Hot spare D. Archives

Answer 5

C. Hot spare

Question 6

If speed is preferred over resilience, which of the following raid configuration is the best choice? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10

Answer 6

A. RAID 0

Question 7

Updating records in multiple locations or copying an entire database to a remote location as a means to ensure the appropriate levels of fault tolerance and redundancy is known as A. Data mirroring B. Shadowing C. Back up D. Archiving

Answer 7

B. Shadowing

Question 8

When the backup window is not long enough to backup all of the data and sthe restoration of backup must be as fast as possible, which of the following types of high-availability backup strategy is best? A. Full B. Incremental C. Differential D. Increase the backup window so a full backup can be performed

Answer 8

C. Differential

Question 9

At a restricted facility, visitors are requested to provide identification and verified against a pre-approved list by the guard at the front gate before being let in. This is an example of checking for: A. Least privilege B. Separation of duties C. Fail-safe D. Psychological acceptability

Answer 9

A. Least privilege

Question 10

The major benefit of information classification is to: A. map out the computing ecosystem B. identify the threats and vulnerabilities C. determine the software baseline D. identify the appropriate level of protection needs

Answer 10

D. identify the appropriate level of protection needs

Question 11

When sensitive information is no longer critical but still within scope of a record retention policy, that information is best: A. Destroyed B. Re-categorized C. Degaussed D. Released

Answer 11

B. Re-categorized

Question 12

The main benefit of placing users into groups and roles is: A. ease of user administration B. Increased security C. Ease of programmatic access D. Increased automation

Answer 12

A. ease of user administration

Question 13

Which of the following best determines access and suitability of an individual? A. job rank and title B. partnership with the security team C. role D. background investigation

Answer 13

D. background investigation

Question 14

Reports must be specific on both the message and which of the following? A. Intended audience B. Delivery options C. Colors used D. print layout

Answer 14

A. Intended audience

Question 15

Which of the following can help with ensuring that only the needed logs are collected for monitoring? A. clipping level B. Aggreagation C. XML Parsing D. Inference

Answer 15

A. clipping level

Question 16

The main difference between a Security Event Information System and a log management system is that SEIM systems are usefull for log collection, collation and analysis: A. real time B. for historical purposes C. for admissibility in court D. in discerning patterns

Answer 16

A. real time

Question 17

When normal traffic is flagged as an attack, it is an example of: A. Fail-safe B. Fail-secure C. False-negative D. False-positive

Answer 17

D. False-positive

Question 18

The best way to ensure that there is not data remance of sensitive information that was once stored on a dvd-r media is by: A. Deletion B. Degaussing C. Destruction D. Overwriting

Answer 18

C. Destruction

Question 19

Which of the following processes is concerned with not only identifying and addressing the root cause but also addressing the underlying issue: A. Incident management B. Problem management C. Change management D. Configuration management

Answer 19

B. Problem management

Question 20

Before applying a software update tp production systems, it is most important that: A. full disclosure information about the threat that the patch addresses is available B. The patching process is documented C. The production systems are backed up D. An independent third party attests the validity of the patch

Answer 20

C. The production systems are backed up

Question 21

Least privilege

Answer 21

no more access than necessary to perform a job

Question 22

need to know

Answer 22

defines the minimum for least privilege

Question 23

Privilieged accounts

Answer 23

root/builtin adminstrator accounts; service accounts; administrator accounts, and power user accounts

Question 24

system administrator

Answer 24

highest level of privilege on most systems, managing systems operations and maintenance

Question 25

operators

Answer 25

typically were mainframe system users, schedule jobs to run effectively and troubleshoot problems, load/unload tapes and result of job print runs, reassignment of ports and lines

Question 26

security administrator

Answer 26

oversight for security operations, acct managment, assignment of labels, system security settings and review of audit logs

Question 27

job rotations

Answer 27

reduce the risk of collusion of activities between individuals - also provides back up coverage, succession planning, and job enrichment opportunities

Question 28

information classification

Answer 28

group similar assets together and protect them based on common classification levels

Question 29

marking

Answer 29

labels should have sensitivity marking, whether or not encrypted, and maybe point of contact and retention period

Question 30

magnetic media

Answer 30

floppy disks, tapes, hard drives

Question 31

optical media

Answer 31

cd. dvd

Question 32

solid state media

Answer 32

flash drive and memory cards

Question 33

hard copy

Answer 33

paper, microfiche

Question 34

original media

Answer 34

should be controlled thru a software librarian

Question 35

inventory scans of installed software

Answer 35

should be conducted to identify unauthorized installations or license violations

Question 36

IDS

Answer 36

maybe deployed out of band - will not affect processes or cause latency, but attacks will likely reach their intended target

Question 37

IPS

Answer 37

in-line, cause some latency and slow down processes, but affected attacks will not likely reach their intended target

Question 38

signature or pattern matching systems

Answer 38

matches known attacks

Question 39

protocol anomaly based systems

Answer 39

network traffic confirms to the defined standard for that protocol

Question 40

statistical anomaly based system

Answer 40

establish baseline, detect deviations

Question 41

Security Event Information Management (SEIM)

Answer 41

provides common platform for log collection, collation, and analysis in real-time to allow for more effective and efficient response

Question 42

containment strategy

Answer 42

need to preserve forensic evidence, availability of services, damage leaving affected component in place, time required for containment strategy to be efective, resources needed to contain

Question 43

forensic evidence

Answer 43

obtain image of ram and hard drive, then determine how to mitigate

Question 44

US COmputer Emergency Readiness Team (US-CERT)

Answer 44

Government agaencies must report breach of PII within an hour of discovery

Question 45

configuration management

Answer 45

process of identifying and dcoumenting hardware components, software, and the associated settings

Question 46

Fail-safe

Answer 46

focus on failing with a minimum of harm to personnel or systems

Question 47

Fail-secure

Answer 47

focus on failing in a controlled manner to block access while the system is in an inconsistent state

Question 48

NAS

Answer 48

simply store and serve files

Question 49

SAN

Answer 49

block level storage

Question 50

RAID 0

Answer 50

stripes across multiple disks without parity, fast reading, no redundancy

Question 51

RAID 1

Answer 51

Creates two indentical drives - data mirroring

Question 52

RAID 2

Answer 52

not used in practice - data spread across at bit level

Question 53

RAID 3/4

Answer 53

Strioing and redundancy in form of parity drive - RAID 3 - byte level - more efficient, RAID 4 - block level - faster

Question 54

RAID 5

Answer 54

Like RAID4 but parity is striped

Question 55

RAID 6

Answer 55

2 sets of parity, allows for failure of 2 drives, less performance, not frequently used

Question 56

Electronic vaulting

Answer 56

backing up system over network - separate location (vault site), sent in real time when implemented as a mirror

Question 57

Journaling

Answer 57

provides redundancy for transactions