Domain 7 Flashcards
1
Q
__ determines the MTD e.g. this server can only be down for 4 hours.
A
BIA (Business Impact Analysis) determines the MTD (Maximum Tolerable/Allowable Downtime)
2
Q
__ firewall is software-based and filters anything coming into or leaving your system e.g. Windows firewall, ZoneAlarm (Windows), Application Firewall (Mac OS X)
A
Host-based firewall
3
Q
__ firewalls are referred to as ACLs (Access Control Lists) on some devices.
A
Packet filtering firewall. It inspects layer 3 IP header and is not very secure.
4
Q
__ firewalls maintain a state table so they can allow a syn ack only if there was a corresponding syn. They are primarily focused on layers 3 and 4.
A
Stateful inspection firewall. Looks at port while inspecting Layer 4 TCP/UDP header
5
Q
__ focuses on dynamically provisioning resources to cloud services e.g. providing computing resources of anywhere from 1 to thousands of systems within minutes such as Amazon during Nov/Dec. Organizations typically pay per unit, not per virtual host (based on equivalent CPU capacity).
A
Elastic Cloud Computing
6
Q
__ host discovery is the most direct way to identify a host, typically with a simple ping sweep. An additional stimulus beyond ICMP Echo Request is required for hardened systems.
A
active
7
Q
__ Intrusion __ System can take measures on its own to control and minimize damage such as spoofing a reset to both sides of the connection. This will drop the connection to control the damage. It can also use an API to tell the firewall to block an IP address.
A
Active IDS can take measures on its own to control and minimize damage.
8
Q
__ IDS sends an alert but does not stop attack. __ IDS stops the attack, usually be sending resets.
A
passive, active
9
Q
__ is a client service such as client email like Gmail.
A
SaaS (Software as a Service)
10
Q
__ is a cloud-based VPS such as a Linux server
A
IaaS (Infrastructure as a Service), VPS (Virtual Private Server)
11
Q
__ is a passive sniffer/sensor for analyzing and alerting on attacks whereas __ is an inline device that can block and stop attacks.
A
IDS, IPS
12
Q
__ is a plan that provides detailed steps to restore critical information systems and data.
A
DRP (Disaster Recovery Plan)
13
Q
__ is a plan to avoid irreparable loss of mission critical operations.
A
BCP (Business Continuity Planning)
14
Q
__ is a server service such as Apache web service.
A
PaaS (Platform as a Service). Admins have control over the service config only, not the general OS e.g. can restart the web service but not the entire system.
15
Q
__ is a strategic ongoing plan focused on business processes with the goal of proactively fixing potential problems. It is an ongoing, strategic and over-arching plan.
A
BCP (Business Continuity Planning)
16
Q
__ is a subcomponent of BCP that is a reactive plan focused on recovery when normal business operations are interrupted.
A
DRP (Disaster Recovery Plan)
17
Q
__ is a type of data redundancy that is similar to remote journaling but provides additional robust backup by storing duplicate data on multiple remote storage devices.
A
Database shadowing: similar to journaling but stored on multiple devices
18
Q
__ is a type of testing where team members step through the plan looking for errors or false assumptions.
A
structured walkthrough testing or validity testing
19
Q
__ is how long a system/process can be down before the mission is impacted.
A
RTO (Recovery Time Objective)
20
Q
__ is how long the business will allow a disruption of mission critical functions.
A
MTD (Maximum Tolerable Downtime)
21
Q
__ is primarily concerned with evidence and proving in court whether or not someone did something.
A
Forensics
22
Q
__ planning is short-term focused (has a stop and start) while __ planning is long-term focused (continuous)
A
DRP, BCP
23
Q
__ software focuses on worms and viruses. __ might bundle the functionality of antispyware, HIPS, application whitelisting, antivirus.
A
antivirus, antimalware
24
Q
__ testing involves actually failing over operations to an alternate computing facility.
A
full interruption testing
25
__ testing is a recovery to an alternate site with the main site still active
parallel testing involves actual recovery at an alternate computing facility but while normal operations are still maintained at the primary location.
26
__ testing is simply reviewing the plan to ensure all areas are covered.
read-through testing, checklist testing or consistency testing
27
__, __ and __ firewalls are all single connection while __, __ and __ firewalls are 2 connections.
Packet, Stateful, NGFWs are single connection. Application, Application-Level and Circuit Proxy are 2 connection firewalls.
28
__is a subcomponent of BCP focused on rapid restoration of mission critical functions.
COOP (Continuing Operations Plan)
29
A __ backup copies only files that have changed since the last full backup was last performed.
Differential backup
30
A __ backup is the most efficient type of backup because it backs up the least amount of data each day.
Incremental backup
31
A __ backup is used if time and tape space is at an extreme premium, and usually resets the archive bit on the files after they have been backed up.
Incremental backup
32
A __ firewall develops a virtual connection between the host and destination, and typically sits at the session layer.
Circuit-Level Proxy Firewall, does NOT use application-level proxy software.
33
A __ firewall hides the origin of a packet and is implemented on a computer by using proxy server software.
Application-Level Proxy Firewall
34
A __ firewall is slower but more effective than a packet filtering firewall, and inspects ports.
SI (Stateful Inspection) firewall. Looks at port while inspecting Layer 4 TCP/UDP header
35
A __ firewall is the slowest of all firewalls since it fully analyses the entire packet, going all the way up to layer 7 and then back down to layer 1.
Proxy firewall (or 'Application proxy' because it processes packets at all 7 layers). Breaks the connection into two pieces
36
A __ firewall maintains one TCP connection with the client and one with the server.
Proxy firewall (or 'Application proxy' because it processes packets at all 7 layers). Breaks the connection into two pieces
37
A __ is a system directly connected to the internet such as a firewall or router. It is directly exposed to attack.
Bastion host e.g. web, mail, FTP servers. A host computer in the public area or DMZ that is exposed to attack from the Internet.
38
A __ testing is a walkthrough test that involves specific mock-up scenarios.
simulation or tabletop testing: team members respond as if an emergency is occuring. You may recover locations (emergency operations center and alternate sites) and enable communications liks while team members execute recovery steps in walk-through manner however you do not actually perform recovery actions (restore backups).
39
A __ will run an executable in a sandbox before being run on the client to make sure it does not do any damage.
MDD (Malware Detonation Device) or Sandboxing
40
A cloud-based service such as an Apache web service would be considered what?
PaaS (Platform as a Service). Admins have control over the service config only, not the general OS e.g. can restart the web service but not the entire system.
41
A device that continuously monitors web server logs, firewall and proxy logs, system and event logs and many others is __. It is detective
SIEM (Security Information and Event Management)
42
A false positive on __ which alerts on matching signatures can be an annoyance. A false positive on __ is a self-imposed DoS condition since it will block the traffic. This can potentially block business / revenue therefore false positives cannot be allowed in the config for this type of system.
IDS, IPS cannot allow false positives
43
A firewall that uses 2 separate connections with the best security is __ firewall.
Application Proxy firewall, processes packets at all 7 layers
44
A formalized agreement between two business entities to faciliate recovery after a disaster.
reciprocal agreement
45
A honey__ is a server, Honey__ is a network. Honey__ is a file.
honeypot (server), honeynet (network), honey token (file)
46
A inline device that is only alerting is an Intrusion __ System.
Prevention since inline, even though it is only alerting. The difference is how it is deployed.
47
A major patch was released that exploits 99% of your systems. You received approval from executives to patch it even though the next CCB meeting isn't until next week. What is the next step?
Present it at the next CCB meeting. Everything needs to be tracked in the CMDB (Change Management Database)
48
A single connection firewall with the best security?
NGFW (Next Generation Firewall)
49
A tangible object or physical evidence is known as __ evidence.
real evidence
50
According to __ you can stop 80% of all attacks with which 4 items.
ASD (Austrailian Signals Directorate): patching OS, patching applications, application whitelisting, limiting and controlling admin access
51
An oral testimony by a witness would be an example of __ evidence.
Direct
52
__ includes a focused vulnerability assessment to determine the weaknesses to the business process that has to be recovered (smaller than full risk assessment).
BIA (Business Impact Analysis)
53
Block-level striping is done at RAID __.
RAID 4,5,6
54
Burden of proof for criminal action is __.
Beyond a shadow of a doubt or beyond a reasonable doubt
55
Does RAID guarantee that if one drive fails, you will not lose information?
No because of RAID 0 which is for performance; RAID 1 and higher do meet that requirement.
56
During an evacuation the __ is typically the first one out and responsible for beginning the process of accounting for all employees.
meeting point leader
57
During incident handling, you should develop a report and send recommendations to management in the __ phase.
Lessons Learned Phase
58
Evidence must be gathered legally or it can't be used. This concept is called __.
Exclusionary rule
59
Explain the following IDS events and two IDS equations.
"TP: attack (getting alert when you should; alert, attack), TN: normal traffic (no alert and you shouldn’t be getting an alert; no alert, no attack), FP (getting alert when you shouldn't; alert, no attack), FN (not getting alert when you should; no alert, attack).
Trick: N implies 'no alert', P is 'alert'; then false or true is whether that is correct
TP+FN=100% attack traffic, TN+FP=100% normal traffic so if TP (implying attack traffic) is 60% then FN is 40%"
60
For data redundancy, __ is where a disk controller is duplicated so if one controller fails, the other controller operates. This does not denote multiple disks as baskups, but multiple disk controllers.
Disk duplexing
61
For firewalls we start filtering at layer __ since MAC address change hop by hop but IP addresses stay the same through the path.
3
62
For incident handling you should restore from backup in the __ phase. Make sure you do not restore compromised code.
Recovery phase
63
For security you should keep an inventory for IPs and running apps but you would not need to do so for __
user accounts
64
For the __ phase of incident handling you should fix the problem before putting the system back online.
Eradication phase
65
For the __ phase of incident handling you should use SMART guidelines to determine whether an event is an incident.
Identification phase, SMART - Specific, Measurable, Acheiveable, Realistic, Timely
66
How can we maximize the effectiveness of a firewall?
Make sure all connections are going through the firewall.
67
If done at a byte level it is RAID __.
RAID 3
68
If the TN for IDS events is 30% what is 70%. Is this the attack or normal traffic?
"FP, normal. TP: attack (getting alert when you should), TN: normal traffic (no alert and you shouldn’t be getting an alert), FP (getting alert when you shouldn't), FN (not getting alert when you should)
TP+FN=100% attack traffic, TN+FP=100% normal traffic so if TP (implying attack traffic) is 60% then FN is 40%"
69
If there are no other qualifiers on exam and ISC2 is just referring to normal mode IDS, they are referring to __ IDS.
passive IDS (monitor traffic and alert)
70
If you are doing a live implementation of a circuit level firewall, however applications are not working e.g. ftp and telnet, what may you need to do?
The network utilities have to be 'socksified' to operate. Choose this answer if you get question like this on exam.
71
If you are having trouble detecting unauthorized connectivity and need a preventative measure, you could use __ as an asset inventory of what devices can connect. To complement this and check the configuration of the devices you could use __.
802.1X, NAC (Network Access Control)
72
If you currently have 4 drives and want to implement RAID-1 how many drives do you need in total?
8 because you need 1 backup drive for every 1 active drive (each new drive mirrors each original drive)
73
If you need to patch a lot of systems e.g. 30/50/80K and if you don't do it within 5 days a vulnerability is guaranteed to crash your systems. Should you patch all systems immediately or do an incremental rollout?
Incremental rollout. This is probably the number one question people get wrong since they answer that the patch should be released right away.
74
If you want a firewall that breaks up a connection and optimizes performance which would you choose?
Circuit-Level Proxy Firewall, faster since it does not examine all 7 layers like a regular application proxy firewall.
75
In __, allowed EXEs are cryptographically hashed and verified. If programs are not pre-verified, then they cannot run.
Application Whitelisting: doesn't even care if a new malware binary is dropped into System32. The focus is on executables, applications, binaries once they attempt execution.
76
In a __ backup the file's archive bit is not reset until the next full backup.
Differential backup
77
In addition to considering an alternate location for recovery, many __ plans will take into account the possibility of running in the "recovered" state for 30 or more days.
COOP (Continuing Operations Plan)
78
In CCB each person has veto power however the __ can override the decision if they determine it's best for the business.
data owner
79
In RAID if it is done at a bit level it is RAID __.
RAID 2
80
In terms of data redundancy, __ is a batch process where data is transmitted through communication lines to storage on a remote server e.g. performed every evening at a specific time
Electronic vaulting
81
In the __ phase of incident handling you should make a clean binary backup of the system. In the __ phase you should secure the area, make a backup, change passwords and optionally pull the system off the network.
Identification phase, Containment
82
Infrastructure with computers and the latest data is a __ site.
hot site: fully functioning alternative data center with the latest information (fully redundant)
83
Infrastructure with computers but not the lastest data is a __ site.
warm site: so you would need to backup/restore
84
Infrastructure with no computers is a __ site.
cold site: basic infrastructure (walls, maybe some desks), no computers, basically a building
85
My cousin's sister's friend gave me this actual business document. This is an example of __.
hearsay
86
Name the types of BCP testing.
read-through/checklist/consistency testing (simply reviewing plan to ensure all areas are covered), structured walk-through or validity testing (team members step through plan looking for errors or false assumptions), simulation or tabletop (walkthrough test that involves specific mock-up scenarios), parallel (recovery to an alternate site with main site still active), full interruption (actual failover to the alternate computing facility)
87
Printed business records, manuals and printouts are examples of __ evidence.
documentary evidence
88
RAID __ increases flexibility in the implementation and fault tolerance because there is no longer a single point of failure when it comes to parity.
RAID 5
89
RAID __ is often called interleave parity
RAID 5
90
RAID __ is often referred to as striping
RAID 0
91
RAID __ is the simplest, least optimized form of RAID and requires a one-to-one disk ratio.
RAID 1
92
RAID __ uses a dedicated parity drive and is implemented at the block level.
RAID 4
93
RAID implementations go from bit to byte to block. The smaller the unit (bit) the more granular errors can be tracked and the less amount of data has to be replicated, however what is the downside of smaller units?
Less efficient because more information has to be tracked.
94
Recovering an organization whenever an adverse event interrupts normal business operations is called __.
IR (Incident Response). You want to minimize damage and get back to a normal operating state
95
Regarding search and seizure, __ is issued by a court to law enforcement for tangible objects. __ is issued by a court to an individual.
search warrant, subpoena (if you violate and don't show to court you could get arrested and go to jail)
96
Server clustering is similar to redundant servers except that all the services in the cluster are __ and take part in __. The cluster acts as a single entity and balances the load to improve performance.
online, processing service requests
97
SOCKS is the most common example of a __ firewall and is used to authenticate a client.
Circuit-Level Proxy Firewall, does NOT use application-level proxy software.
98
Summarize the RAID levels
"RAID 0 (striped set, no redundancy), RAID 1 (mirrored set, fully redundant), RAID 2 Obsolete, bit interleaved, hamming code), RAID 3 (dedicated parity, byte-level striping), RAID 4 (dedicated parity, block-level striping), RAID 5 distributed parity, block-level striping), RAID 6 (double distributed parity, block-level striping)
'RAID Summary - D7 pg 146"""
99
The __ deals with the restoration or continued operations of the business processes whereas the __ deals with the restoration of the critical information systems that support the business processes.
BCP, DRP
100
The __ involves collection and identification, storage/preservation/transportation, presentation in court, and returning to the victim (owner).
Evidence Life Cycle
101
The __ is ultimately responsible for an evacuation and is the last one out
safety warden: often a company officer or executive
102
The __ is where the cost to recover and the cost of disruption meets.
Cost Balance Point D7 pg 164
103
The __ phase of incident handling includes updating the disaster recovery plan and providing checklists and procedures.
Preparation, D7 pg 104
104
The __ rule is to limit the potential for alteration.
Best evidence rule
105
The BIA uses information from the __ to prioritize business functions and calculate business impact.
vulnerability assessment: identifies critical business functions; results are used as input to recovery strategy
106
The error checking for RAID level 2 is done through parity information created using a __ which detects errors and establishes which part of which drive is in error.
hamming code
107
The fastest type of firewall is __
Packet filtering firewall. It inspects layer 3 IP header and is not very secure.
108
The key differentiating feature of __ firewall versus traditional firewalls is that this type can understand and filter specific client-side application capabilities.
NGFW (Next Generation Firewall)
109
The primary focus of __ is on taking files and rendering/executing them in advance of passing them to the target.
MDD (Malware Detonation Device) or Sandboxing
110
There are some exceptions however most business records that are generated electronically fall under the __ rule and are considered to be unreliable and inaccurate simply because there is no way to prove otherwise.
Hearsay Rule
111
Third-party or second-hand evidence can also be called __ and under the US Federal Rules of Evidence, it is inadmissable in court. An exception is business documents and public records e.g. my sister's cousin's friend gave me this actual business document.
hearsay
112
This most effective firewall looks at layer 7 application headers, uses a single connection and is the slowest firewall.
NGFW (Next Generation Firewall)
113
This type of data redundancy transmits data in real-time or near real-time to backup storage at a remote location.
Remote journaling: data written to second system in close to real time
114
This type of firewall is overtly instrumented to handle layer 7 aspects. An example of a __ firewall would be blocking facebook chat for all end users except a few executives due to data exfiltration.
NGFW (Next Generation Firewall)
115
This type of RAID is commonly called mirroring because it mirrors data from one disk to another.
RAID 1
116
This type of RAID stripes data across disks but provides no redundancy. It is good for performance.
RAID 0
117
This type of RAID uses a dedicated parity drive and is implemented at the byte level.
RAID 3
118
Three types of NIDS are __.
Signature Matching, Protocol Behavior, Anomaly Detection
119
To implement RAID __ you need a total of 39 disks, 32 for data storage and 7 for error recovery of that data. This method is performed at a bit level and therefore is not as efficient as other methods.
RAID 2
120
Today's adversaries are so advanced that no single log may indicate an attack however if you correlate logs using this type of monitoring tool, you may be able to see unusual patterns and identify the adversary.
SIEM (Security Information and Event Management)
121
Using a model, chart or illustration to aid the jury is an example of __ evidence.
demonstrative evidence
122
We use the __ numbering system to uniquely tag and identify data, for instance so it could be recovered as part of the eDiscovery process.
Bates numbering system
123
What is necessary in order for audit information to be useful when handling employee issues?
It needs to be reviewed regularly; everything else is secondary (centrally managing the logs, etc), if they're not reviewed, nothing else will matter
124
What is required for centralized logging to work properly?
NTP (Network Time Protocol) server must be used. If you have centralized logging but no consistent time source you cannot correlate.
125
What is the best way to secure a service?
Best answer is to turn the service off or uninstall it. Secondary is to agressively apply patches.
126
What is the golden rule of change management.
All changes must go through the CCB. If emergency, you can still make emergency changes as long as you present it at the next meeting.
127
What is the only RAID level that requires an exact number of drives?
RAID 2
128
What is the primary reason for centralized logging?
To get the logs off the system as quick as possible to prevent adversary from covering their tracks aka protection/safety of the logs. Do NOT pick correlation of the logs which would only be a secondary reason.
129
What is the process for Incident Handling?
"Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. remember 'PIC ERL'
D7 pg 102"
130
What must be true about audit trails in order to safely use them in employee terminations?
They are reviewed on a regular basis
131
What RAID level is now obsolete?
RAID 2
132
When a vendor releases a patch they are telling the world there is a vulnerability. If the adversary can break in before the patch is applied he wins, if you patch before they break in, you win. What is this called?
Race condition
133
When looking at a threat you need to identify the source of the threat which is typically __ and the cause of damage which is normally __.
external, internal (insider in organization) e.g. user clicking email that allowed adversary a pivot point to break in. need to differentiate since you will remediate the issue differently depending on the cause
134
Which RAID is the first to intermix drives that have both data and parity?
RAID 5
135
Which RAID(s) use one set of drives for data and separate drive(s) for error recovery codes?
RAID 2,3,4
136
Which RAID systems will guarantee that even if one drive fails, you will NOT lose information.
RAID 1 and higher. You WILL lose information with RAID 0 which is for performance
137
With __ host discovery we employ a sniffer and simply look for evidence of traffic indicative of systems.
passive
138
Which backup method does not reset the archive bit on files that are backed up?
Differential backup
139
An advantage of a __ backup is that if your system needs to be restored, it only requires two tapes.
Differential backup
140
This 'additive backup method' is additive in the fact that it does not reset the archive bit so all changed or added files are backed up in every backup until the next full backup.
differential backup
141
A __ backup is the most efficient type of backup because it backs up the least amount of data each day.
Incremental backup
142
This type of backup requires the most tapes.
Incremental backup
