CISSP Domain 7 Flashcards
1
Q
Incident management steps
A
Detect
Response - Severity of incident (CIRT)
Mitigate
Reporting
Recovery
Remediation
Lessons learned
2
Q
Primary goals of effective incident management
A
Limit effect or scope of an incident
3
Q
Recovery
A
Effective incident and configuration management
4
Q
Remediation
A
Perform RCA
5
Q
Botnets
A
Multiple bots in a network form a botnet and will do what attackers instruct to do
C&C
6
Q
DoS
A
So many data packets sent across to a server causing system to slow
7
Q
DDoS
A
When Multiple systems attack a single system at same time
8
Q
DRoS
A
Manipulates traffic or network device so that attacks are reflected back to the victim from other sources
9
Q
SYN flood
A
Doesn’t complete three way handshake
Doesn’t send ack hence gets flooded
10
Q
Smurf attack
A
Floods victim with ICMP echo packets instead of TCP SYN packets
Attacker send echo request out as a broadcast to all systems on networks to spoof the source IP address.
All these systems respond with with Echo replies to spoofed IP address
11
Q
Fraggle attack
A
Smurf attack instead of ICMP uses UDP
12
Q
Ping flood
A
Flood victims with ping requests
13
Q
Ping of death
A
Oversized ping packets
14
Q
Teardrop
A
Attack Fragmented data packets, making it too difficult to put it back by receiving system
15
Q
Land attack
A
Sends spoofed syn packets to a victim using victims IP address as both the source and destination IP address
16
Q
2 types of MiTM
A
Sniffing traffic between two parties
Store and forward proxy mechanism by sitting in between
17
Q
Types of IDS
A
knowledge based - IDS can have sensors or agents to monitor key devices , signature based
Behaviour based - Create a baseline to detect abnormal behaviour
18
Q
IDS response
A
Passive response- Notification can be sent to admins in email or text message
Dashboard type
Active Response: Modify environment using Firewall
19
Q
IDS types
A
Host based
Network based
20
Q
NIPS
A
Block an attack after it starts
21
Q
Honeypot and Honeynet
A
Enticement or decoy
Don’t make it entrapment
Honeynet - Two or more networked honeypots used together
Hosted on VM for easy re creation
22
Q
Firewall blocks
A
Router to block broadcast
Private IP address
23
Q
Sandboxing
A
Provides security boundary for apps and prevents the apps interacting with other apps
24
Q
Goal of logging and monitoring
A
To prevent incidents and provide effective response when they occur
25
Common log types - Security
Security logs: Record access to resources such as files, folders , printers
26
System logs
When system, service starts or stops
27
Application logs
Application devoloper choose what to record in app logs
28
What type of control are audit trails ?
Deterrent
29
SIEM - Sampling
Data reduction to use precise mathematical functions to extract meaningful information from large volume of data
30
Clipping levels
Non stastical sampling - Discretionary of the owner - Discretionary sampling
Predefined threshold for the event
31
Rollover logging
Admins set maximum log size then over write the logs
32
SOAR
Automated response to some incidents
33
SOAR - Incident response methods
Playbook - What needs to be done if an incident occurs
Runbook - playbook data into an automated tool
Example: IDS implementing it
SOAR technologies will automatically deal with false positives based on runbook
34
Difference between ML and AI ?
Reinforcement learning (Plays itself) Vs zero knowledge of the game
**Seperate algorithm outside of AI system enforce rules**
Behaviour based users ML to learn from false positives
AI starts without a baseline creates it's own baseline based on traffic. It looks for anomalies
35
Threat intelligence
Gathering data on potential threats
36
Kill chain
Reconciance
Weaponization
Delivery
Exploitation
Installation
C&C
Actions on objectives
37
MITRE attack
KB of TTP used by attackers in various attacks
38
Threat feeds
Steady stream of raw data related to current and potential threats
Suspicious domains
Known malware hashes
Code shared on internet sites
IP addresses linked to malicious activity
39
Threat hunting
Actively searching for cyber threats in networks basically IoC's
40
False negatives
When there is attack but IDS doesn't detect and raise
41
Igress and Egress monitoring
Monitoring incoming traffic
Monitoring outgoing traffic
42
Fault tolerance
Primary goal of fault tolerance is to eliminate SPOF
Ability of system to suffer a fault but continue to operate
Achieved by RAID array or additional components with failover clustered configuration
43
SPOF
Components which can cause entire system to fail
44
System resilience
Ability is system to maintain an acceptable level of service during an adverse event
In some events ability of system to to return to previous state**after an adverse event**
45
High availability
Use of redundant technology components to allow the system to quickly recover from a failure after expecting a brief disruption
Load balancing and failover servers
46
Load balancing
Primary responsibility is to balance network traffic and handle more
But can sense the failure and stop sending traffic
47
UPS and generator
Goal of UPS is to give power to 15-30 minutes so that you could logically shutdown system
Generator to provider power long enough
48
Fail open vs fail secure state
Granting all access
Blocking all access
**Choice should be based on security or availability**
49
Two elements of recovery process
1. Failure preparation: Systems resilience, fault tolerance, reliable back-up solution
2. System recovery: Restoration of all affected files and services actively in use on system at time of failure or crash
50
Type of recovery
Manual
Automatic
Automated recovery with undue loss: Specific objects are protected to prevent their kids
Additionally you can rebuild data from transaction looks
Function recovery: Specific functions
51
QoS
Protect availability of data network under loads
Bandwidth: N capacity to carry loads
Jitter : Variation in latency between packets
Latency: Time taken for travel from source to destination
Packet loss: Lost between source and destination
Interference: Noise , corruption of packets
52
One of the goal of DRP
Restoration of work groups to the point they can resume their activities in their usual work locations
53
Alternate processing sites
Cold site: Facility there but nothing more it might take a week or two get it running
Hot site : Expensive can be up and running
Warm site : Might take 12 hours there are some critical components
" No lockout policy"
Mobile site: Any operating location it can be deployed on fly away basis
Best for workgroup
54
Mutual assistance agreement
Two organisation assist each other in event of disaster
Concerns:
1. Same geography
2. Confidentiality
3. Refused to support
55
Electronic vaulting
**bulk transfer to a remote site**
Stored in back up vaults on off-site
56
Remote Journaling
Backup of Db transaction logs that occurred since previous **bulk transfer**
57
Remote mirroring
A live DB is maintained at back up site
**Remote server** receives copy of database modifications at same time to production server
58
Important point when it comes to checklist
Arrange checklist tasks in order of priority, with most important task first
59
Backups and off site storage
Full backup - complete copy of data contained in the protected device
Incremental backup- Whatever data modified (**store only those files**) will be backed up at end of the day since last full back up
Deferential backup- * store All data/files* since the last full backup
60
Difference between incremental and differential back-up
Time to restore data in event of emergency
Full+ Deferential - 2 recent backup files of these both
Full+ incremental - recent full+ all incremental since full backup
**Deferential backup takes longer to create but lesser time to restore compared to incremental**
61
Software escrow agreement
Tool to protect against failure of a software developer to provide support for is products against possibility devloper going out of business and no tech support available
62
Recovery Vs Restoration
Bringing business operations and processes back to working state
Bringing business facility and environment back to workable state
63
Salvage team
To restore the company to full capabilities to begin their work
64
Structured walk through
Structured walk though - Scenario based in large conference room role play a disaster scenario and then participants refer copies and discuss response to that
May involve interruption non critical business activities
65
Stimulation test
Present scenario and response is asked to develop
Then response is tested
66
Parallel test
Relocation of personnel to Alternate recovery site and implement site activation
67
Full interruption test
Shutting down operations at primary site and shifting them to recovery site
68
Redundant
Copy of duplicate
69
RAID 0
Performance and data stripping
70
RAID 1, 1-0 , 3 , 5, 6
Availability by Mirroring - 2 disks
1-0 - Stripping and mirroring
Raid 3 - Parity bit(disk) to reconstruct data if any **one** of multiple disks fails
Raid 5 - Parity and disk distributed to all disk
Raid 6 - 2 Parity disks if 2 disks fails then you can recover data
71
Configuration management
Baselining for all systems
72
Recovery team
Used to get critical function running at alternate site
73
Salvage team
Used to return the primary site to normal
74
Waterfall
Very linear, each phase leads
Once phase done can't go back
75
Administrative investigations
Policy violations internal to organization
76
Criminal investigations
Conducted by law enforcement
Beyond a reasonable doubt
77
Civil investigation
Internal employees and outside consultants on behalf of legal teams
78
Regulatory investigations
Conducted by govt. agencies when individuals have violated admin law
79
E discovery and steps
To preserve evidence share information with adversaries in the proceedings
Info governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
80
Admissible evidence and requirements
Relevant - Fact
Material (related) to case
Competent ( obtained legally )
81
Types of evidence and evidence rules
1. Real evidence - object evidence
2. Documentary evidence - Written items
- best evidence rules
- parol evidence rule - Written agreement no verbal agreement
If documentary evidence follow above 2 rules + 3 admissible related rules then it can be admitted to court
3. Testimonial evidence : Testimony of witnesses through direct or expert opinion
4. Demonstrative evidence:
Evidence used to support testimonial evidence
82
Media Analysis - Always work on copy
Identification and extraction of info from storage media
a. Magnetic media b. Optical media
Use writer blocker to avoid tampering of data after disconnecting and connecting to physical workstation
83
In- Memory analysis
When gathering contents from Memory analyst should use trusted tools like Memory dump file
Compute Cryptographic values for authenticity
84
Network analysis
Use SPAN port - Generate copy of packet dump
85
Network analysis
Use SPAN port - Generate copy of packet dump
86
Software analysis
Software code - looking for logic bomb, backdoor
87
Hardware/ Embedded device
Contents of hardware
88
Investigating process
Gathering evidence
1. Voluntary surrender
2. Subpoena
3. Plain view doctrine
4. Search warrant
5. Exigent evidence
Calling in law enforcement
Conducting the investigation
Interviewing the individuals
Data integrity and data retention
Reporting and documenting investigations
89
APT
Advanced technical skills and resources act on behalf of nation state, organised crime
90
Script kiddies
For the thrill the attackers may download scripts freely available on internet to compromise system
