CISSP: Security Operations Flashcards Preview

CISSP > CISSP: Security Operations > Flashcards

Flashcards in CISSP: Security Operations Deck (18)
Loading flashcards...
0

2. Recording data traveling on a network is known as

A. Promiscuous mode
B. Packet sniffing
C. Packet snoring
D. Packing sneaking

B. Packet sniffing

Packet sniffing is the technique used to record network traffic. Review “Penetration testing.”

1

1. The two types of intrusion detection are

A. Attack-based systems and response-based systems
B. Signature-based systems and anomaly-based systems
C. Knowledge-based systems and scripture-based systems
D. Passive monitoring systems and active monitoring systems

B. Signature-based systems and anomaly-based systems

The two types of IDS systems are signature-based and anomaly-based. Review “Intrusion detection and prevention.”

2

3. Which of the following is NOT an example of penetration testing?

A. Radiation monitoring
B. War driving
C. Port scanning
D. War diving

D. War diving

War diving isn’t a testing technique, but radiation monitoring, war driving, and port scanning are. Review “Penetration testing.”

3

4. Trusted recovery is concerned with

A. The ability of a system to be rebuilt
B. The vulnerability of a system while it’s being rebuilt
C. The ability of a system to rebuild itself
D. The willingness of a system to rebuild itself

B. The vulnerability of a system while it’s being rebuilt.

Most operating systems in single-user mode lack the security controls present in a system that’s fully operational. Review “Security Controls.”

4

5. The third-party inspection of a system is known as a(n)

A. Confidence check
B. Integrity trail
C. Audit trail
D. Audit

D. Audit

An audit is an inspection of a system or process. Review “Security Auditing and Due Care.”

5

6. One of the primary concerns with long-term audit log retention is

A. Whether anyone will be around who can find them
B. Whether any violations of privacy laws have occurred
C. Whether anyone will be around who understands them
D. Whether any tape/disk drives will be available to read them

D. Whether any tape/disk drives will be available to read them.

The challenge with audit log retention is choosing a medium that will be readable many years in the future. Review “Retaining audit logs.”

6

7. The required operating state of a network interface on a system running a sniffer is

A. Open mode
B. Promiscuous mode
C. Licentious mode
D. Pretentious mode

B. Promiscuous mode

Promiscuous mode is the term that describes the state of a system that’s accepting all packets on the network, not just those packets destined for the system. Review “Penetration testing.”

7

8. Filling a system’s hard drive so that it can no longer record audit records is known as a(n)

A. Audit lock-out
B. Audit exception
C. Denial of Facilities attack
D. Denial of Service attack

D. Denial of Service attack

Filling a system’s hard drive is one way to launch a Denial of Service attack on an audit log mechanism. Filling the hard drive prevents the mechanism from being able to write additional entries to the log. Review “Protection of audit logs.”

8

9. An investigator who needs to have access to detailed employee event information may need to use

A. Keystroke monitoring
B. Intrusion detection
C. Keystroke analysis
D. Trend analysis

9 A. Keystroke monitoring

Keystroke monitoring records every key press and mouse movement. Review “Keystroke monitoring.”

9

10. Which of the following is NOT true about a signature-based IDS?

A. It reports a low number of false-positives.
B. It requires periodic updating of its signature files.
C. It reports a high number of false-positives.
D. It can’t detect anomalies based on trends.

C. It reports a high number of false-positives.

Signature-based IDSs generally have a low number of false-positives. Review “Intrusion detection and prevention.”

10

Which of the following is not commonly used to eliminate single points of failure?
a. RAID 0
b. RAID 1
c. A second connection to the internet by using a different ISP
d. Load balanced cluster server array

A. RAID 0, a stripe set, provides improved performance but no fault tolerance or redundancy

11

In black box penetration testing, what information is provided to the red team about the target environment?
a. The targets and testing time frame
b. Everything
c. Nothing
d. The IP subnet architecture of the enterprise

C. Black box testing provides no information to the testing team (the red team).

12

What term describes the statistical appraisal of the functional lifetime of a system or device?
a. Maximum tolerable downtime (MTD)
b. Statistical deviation
c. Mean time to repair (MTTR)
d. Mean time between failures (MTBF)

D. Mean time between failure (MTBF) is the statistical appraisal of the functional lifetime of a system or device.

13

A device used to return all bits on magnetic media to a neutral state is performing what function?
a. Active reconnaissance
b. Zeroization
c. Zero-day attack
d. Passive reconnaissance

B. Degaussing or overwriting all bits with zeros returns all magnetic impulses that represent bits on magnetic media to a neutral state. This process is called zeroization.

14

Hierarchical storage management (HSM) is best described by which of the following?
a. The way files and directories are stored on a disk drive
b. The way tapes are rotated offsite by armed guards in armored trucks
c. The way files are migrated away from expensive and fast storage onto cheaper and slower storage
d. The way disk drives are spun down to reduce power consumption and heat and prolong the life of the disks when the files they hold are not needed.

C. In HSM, files are migrated away from expensive and fast storage onto cheaper and slower storage as the data becomes less current and or useful to users. Typically, in an HSM environment, the data remains online but with longer access times.

15

Using a sniffer would be used first during which phase of the targeted attack.
a. Active reconnaissance
b. Passive reconnaissance
c. Pillaging
d. Fingerprinting

B. Sniffers are typically undetectable on networks and therefore perform passive reconnaissance.

16

Which of the following describes the cause of collusion and the best defense against collusion?
a. A well-defined penetration testing agreement
b. Separation of duties and job rotation
c. Software vulnerabilities and regular operation system and application updating
d. Data redundancy and fault tolerant technologies

B. Separation of duties is a primary line of defense against fraud, which prevents a single employee from successfully and completely committing a fraudulent act, forcing multiple employees to collude to commit a fraudulent act successfully. Job rotation cycles different employees into critical roles to detect fraud if it is being committed and, if separation of duties is appropriately enacted, the only way fraud could be accomplished is through collusion.

17

When Nicole gets a transfer to a different department and role, why would an administrator need to remove her privileges?
a. To eliminate single points of failure
b. To avoid sequential access processes
c. To reset the archive ti
d. To avoid authorization creep

D. To maintain the principle of least privilege and avoid authorization creep, also known as authorization aggregation, an administrator would remove the now unneeded permissions related to Nicole's old position and grant additional permissions appropriate for Nicole's new position.