Domain 7, Security Operations

Question 1

BCP

Answer 1

Business continuity Plan. Long term plan to ensure the continuity of business ops.

Question 2

Collusion

Answer 2

agreement between 2+ individuals to subvert sec system.

Question 3

Continuity of Operations Plan - COOP

Answer 3

Plan to maintain ops during a disaster.

Question 4

Disaster

Answer 4

Disruptive event that interrupts normal system operations

Question 5

Disaster recovery plan DRP

Answer 5

Short term plan to recover from a disruptive event.

Question 6

MTBF

Answer 6

Mean time between failures

Question 7

MTTR

Answer 7

Mean time to repair/recover

Question 8

Mirroring

Answer 8

RAID - Duplication of data to another disk

Question 9

RAID

Answer 9

Redundant array of inexpensive disks

Question 10

Striping

Answer 10

Spread data across multiple disks.

Question 11

Slack space

Answer 11

Unused space that is leftover when a File of X-1 size was given space of X

Question 12

Bad Blocks/Clusters

Answer 12

Unusable sectors

Question 13

Live forensics

Answer 13

Seeing what’s in live memory

Question 14

Meterpreter

Answer 14

Power metasploit payload

Question 15

Network forensics

Answer 15

study of data in motion.

Question 16

Forensic software analysis

Answer 16

deconstruct malware and software. Use a VM to detonate Malware

Question 17

EMbedded Device Forensics

Answer 17

IoT and Other Handheld devices

Question 18

Electronic Discovery

Answer 18

Help lawyers with discovery process via Electronic Discovery tools

Question 19

CSIRT

Answer 19

Computer Security Incident Response Team

Question 20

800-61r2

Answer 20

NIST Incident Handling Guide

4 step lifecycle

Question 21

800-61r2 lifecycle Step 1

Answer 21

Prep

Question 22

800-61r2 lifecycle Step 2

Answer 22

Detection and Analysis

Question 23

800-61r2 lifecycle Step 3

Answer 23

Containment, Eradication, and recovery

Question 24

800-61r2 Step 4

Answer 24

Post-incident Activity

Question 25

IR MGMT Step 1

Answer 25

Prep

Training, policies, procedures, checklist

Question 26

IR MGMT Step 2

Answer 26

Detection, AKA identification

Events—> Incident

Question 27

IR MGMT Step 3

Answer 27

Response

Question 28

IR MGMT Step 4

Answer 28

Mitigation, aka Eradication

Root Cause Analysis

Get rid of the bad things

Question 29

IR MGMT Step 5

Answer 29

Reporting

Not really a step, this happens throughout the process

Question 30

IR MGMT Step 6

Answer 30

Recovery

Restore systems and ops

Increase monitoring

Question 31

IR MGMT Step 7

Answer 31

remediation - long term strategic activity designed to eradicate root cause for identified incidient.

Question 32

IR MGMT Step 8

Answer 32

Lessons Learned. Shoudl be documented in a formal process, and assigned as action items with accountability

Question 33

Intrusion Detection System

Answer 33

Detects intrusions

Question 34

IDS True Positive

Answer 34

alerts on an actual issue

Question 35

IDS True Negative

Answer 35

doesn’t alarm on something that it doesn’t need to alarm on.

Question 36

IDS False positive

Answer 36

Trips on something that it shouldn’t on.

Question 37

IDS False Negative

Answer 37

Doesn’t trip on something it should trip on.

Question 38

NIDS NIPS

Answer 38

Network intrusion detection,

Network intrusion prevention system

Question 39

HIDS HIPS

Answer 39

Host Intrusion detection

Host intrusion prevention

Question 40

Knowledge-based IDS/IPS

Answer 40

AKA Signature based, AKA Pattern-matching

-compares events to static signatures of known attacks.

Question 41

Behavior-based IDS/IPS

Answer 41

Creates a baseline for what activities/events are considered normal. Once baseline is determined, it can now detect ‘abnormal’ activities

Question 42

Anomaly detection

Answer 42

Finds a baseline of normal traffic, then anomaly detection IDS ignores normal traffic.

Will alert when it sees odd traffic.

Question 43

Continuous monitoring

Answer 43

ASsessing and reassessing as an ongoing process

Question 44

DLP

Answer 44

data loss prevention.

class of solutions used to detect and prevent data from leaving the org

Question 45

Application Whitelisting

Answer 45

Only run what is permitted

Question 46

Sandboxing

Answer 46

Separate running programs, in an effort to mitigate system failures from spreading.

Test untested or untrusted programs.

Detonate malware in a VM.

Question 47

Asset/Configuration management

Answer 47

Hardened baselines and configs.

Establishes the baseline of an information technology environment that includes a secure baseline

Question 48

Baselining

Answer 48

Capture a snapshot of the current system security config. Establishes an easy means for capturing the current system config.

Question 49

Vulnerability management

Answer 49

scan in a way to discover poor configs and missing patches in an environment, with an emphasis on managing those vulnerabilities.

Question 50

Zero day vulnerability

Answer 50

no identified patch or workaround.

Question 51

Zero day exploit

Answer 51

Exploit methods is/are available for a vulnerability which has yet to be patched.

Question 52

Change management

Answer 52

Track and audit changes to configuration files. Assess risks of changes.

Question 53

SLA

Answer 53

Service level agreement

Stipulate all expectations regarding behavior of the department or organizations.

Orgs must negotiate all secure terms of service lvl agreement

Question 54

Full Backup

Answer 54

Complete copy. Duplicates every file regardless of the archive bit. Once complete, archive bit on every file is reset, turned off, or set to 0.

Question 55

Incremental backup

Answer 55

archives files that have changes since last full or incremental backup. Only files that have the archive bit turned on (set to 1) are duplicated. Once complete, archive bit on every file is reset, turned off, or set to 0.

Question 56

Differential Backup

Answer 56

archives files that have changes since last full (but NOT INCREMENTAL) backup. Only files that have the archive bit turned on (set to 1) are duplicated. DOES NOT CHANGE ARCHIVE BIT once done.

Question 57

RAID 0

Answer 57

Stripes two or more disks to improve performance, but NOT fault tolerance.

Question 58

RAID 1

Answer 58

Mirrors, uses two disks both with the same exact data. Provides fault tolerance. Lower write speeds, but potentially higher read speeds.

Question 59

RAID 3

Answer 59

NOT IN CBK. Byte level striping with dedicated parity

Question 60

RAID 4

Answer 60

NOT IN CBK. Block lvl striping with dedicated parity

Question 61

RAID 5

Answer 61

Striping with parity. Uses three or more disks, with one disk holding parity information. Parity allows reconstruction to occur after disk failure via mathematical calculations.

Question 62

RAID 6

Answer 62

Same as RAID 5, but with two parity disks.

Question 63

Mirroring

Answer 63

Writes same data to multiple hard disks.

Writes are slower read is faster. Costly

Question 64

Striping

Answer 64

Spread data across multiple hard disks.

Reads and writes can be performed in parallel acros multiple disks

Performance increase on reads and writes

Question 65

RAID 10

Answer 65

Nested RAID. Configuration is a striped set of mirrors. Uses at least 4 disks, but can support more as long as an even number of disks are added.

Can tolerate multiple disk failures, as long as one drive in each mirror continues to operate.

Question 66

BCP

Answer 66

business continuity plan. Long term plan to ensure continuity of business ops

Question 67

BCP

Answer 67

business continuity plan. Long term plan to ensure continuity of business ops

Business level scope

Question 68

DRP

Answer 68

Disaster recovery plan

Short term plan to recover from a disruptive event.

Question 69

DRP

Answer 69

Disaster recovery plan
Short term plan to recover from a disruptive event.

IT oriented scope

Question 70

MTTR

Answer 70

Mean time to repair.

Question 71

MTTR

Answer 71

Mean time to repair.

Question 72

Natural disaster

Answer 72

Weather, earthquake

Question 73

Human

Answer 73

Malware, assault, large portions of workforce leaving.

Question 74

Environmental

Answer 74

HVAC fails, power outage

Question 75

DRP Process - respond

Answer 75

Begin processing the damage

Initial assessment

Question 76

DRP Process - Acticate team

Answer 76

Activate team

Question 77

DRP Process - Communicate

Answer 77

comms must be out of band. Ensuretimely updates. Org should be prepared for external comms

Question 78

DRP Process - Assess

Answer 78

More detailed and thorough assessment

Assess damage

Team could recommend ultimate restoration/reconstitution at different site

Question 79

DRP Process -Reconstitution

Answer 79

Recover business ops at primary or secondary site.

Salvage team activated at primary facility

Question 80

Develop a BCP/DRP

Answer 80

Project initiation
scope the project
business impact analysis
identify preventive controls
Recovery strategy
Plan design, and develpment
implementation, training, and testing
BCP/DRP

Question 81

NIST 800-34

Answer 81

NIST contigency planning guide.

Question 82

BCP/DRP Planning Project Initiation Milestones

Answer 82

7

1. Develop contigency plan
2. Conduct business impact ianalysis
3. Identify preventive controls
4. develop recovery strategies
5. Develop IT contigency plan
6. Plan testing, training, excercises
7. Plan maintenance of documents

Question 83

Continuity planning project team

Answer 83

Team set up to determine responsibilities and objectives of continuity plan.

Question 84

RTO

Answer 84

Recovery time objective. How quickly something a system can be brought back on line, but not integrity hasn’t been verified yet.

Question 85

WRT

Answer 85

Work recovery time. After system is online, time to verify integrity of system.

Question 86

Executive mgmt - Scoping the project

Answer 86

need exec support for

• initiating the scoping process,
• and also need to sign off on final approval.
• need to excercise due diligence and due care

Question 87

assess teh critical state

Answer 87

process to determine which iniformation systems are critical. difficult to do because how important something is depends soley on who uses it.

when compilinng the critical state and asset list, the Project manager should not how assets impact the org

Question 88

business impiact analysis BIA

Answer 88

correlate IT systems to critical services they support. Aims to quantify the consequence of disruption

Question 89

BIA Steps

Answer 89

Business impact analysis

1. Identify critical assets
2. Conduct DRP/BCP focused risk assessment

Question 90

MTD = ?

Answer 90

Max tolerable downtime = Recovery time objective + Work recovery time

MTD = RTO +WRT

Question 91

RPO =

Answer 91

recovery point objective, how much data you can afford to lose

Question 92

MOR =

Answer 92

Minimum operating requirements

usually applies to environmentals.

Question 93

Redundant site

Answer 93

exact replica, very expensive.

no data loss in event of disaster at primary site

Question 94

Hot site

Answer 94

Less than one hour of downtime.

Has all infrastructure for resuming normal business operations.

Question 95

warm site

Answer 95

Most aspects of a hot site, but relies on backups to get systems up and running.

MTD of 1-3 days

Question 96

Cold site

Answer 96

not equipment, no backup data. Typically just physical building.

1-3 weeks of MTD

Question 97

Mutual Aid Agreement

Answer 97

Two businesses promise to cover each others’ business needs in event of disaster.

Question 98

mobile site

Answer 98

data center on wheels.

Question 99

COOP

Answer 99

Continutity of operastions plan. Focuses exclusively on operations.

Question 100

BRP

Answer 100

Business recovery plan/ business resumption plan

details plan to resume normal operations AFTER recovering from disaster/disruptive event.

picks up after COOP is complete.

Question 101

CSP

Answer 101

continuity of support plan.

Helpdesk/IT oriented continuity plan.

Question 102

CIRP

Answer 102

Cyber Incident Response Plan

Question 103

OEP

Answer 103

Occupant emergency plan

Question 104

CMP

Answer 104

Crisis Management Plan

Details actions required of management in a disaster.

Question 105

CCP

Answer 105

crisis communications plan - Plan for communicating to staff in event of a disaster.

Component of CMP

Question 106

Call trees

Answer 106

each employee is responsible for calling a small number of other employees in event of a disaster.

Question 107

EOC

Answer 107

emerency ops center

Question 108

Vital records

Answer 108

vital documentation needed for normal operations. Licenses, checkbooks, contracts

Question 109

forensic media analysis

Answer 109

analysis of binary disk images

Question 110

root-cause analysis root cause

Answer 110

attempts to determine the underlying weakness or vulnerability.

Question 111

executive succession plan

Answer 111

determines line of succession in event an executive is unable to lead.

Question 112

executive succession plan

Answer 112

determines line of succession in event an executive is unable to lead.

Question 113

Tape rotation

Answer 113

method to ensure you have long backup windows, but don’t require too much tape.

Question 114

Electronic vaulting

Answer 114

batch process of electronically transmitting data that is backed up on a routine. Offsite facility

Question 115

Remote journaling

Answer 115

log of all database transactions.

Question 116

Database Shadowing

Answer 116

Updates a backup DB automatically when live DB is changes. Two or more backup DBs

Question 117

Software Escrow

Answer 117

source code is held by an impartial 3rd party in case software vendor goes out of business.

Question 118

Hardcopy data

Answer 118

on paper data. In hurricane prone areas, businesses often develop a paper-only DRP

Question 119

DRP Testing

Answer 119

Plan is only as effective as the last time it was updated and tested.

Should be performed at least yearly.

Question 120

DRP Testing - Read-Through AKA Checklist testing

Answer 120

Review the plan, read the whole thing.

AKA consistency testing. Lists all necessary components. Ensures they’re readily available in event of disaster.

Question 121

DRP Test, partial and complete business integration

Answer 121

Intentional outage. Can actually cause a real disaster. More common in fully redundant, load balanced operation.

Question 122

DRP training

Answer 122

DRP specific training to bring employees up to speed.

Question 123

DRP training

Answer 123

DRP specific training to bring employees up to speed.

Question 124

BCP/DRP Maintenance

Answer 124

must be kept up to date. Must keep pace with all critical IT/Business changes.

Change management

Question 125

NIST SP 800-34

Answer 125

BCP/DRP Framework from NIST

Question 126

ISO/IEC 27031

Answer 126

BCP Framework from ISO

Question 127

ISO/IEC 27031

Answer 127

BCP Framework from ISO

Question 128

ICT

Answer 128

ISO Acronym, Information and Comms Technology

Question 129

ISMS

Answer 129

ISO Acronym, Information security mgmt system.

Question 130

ISO/IEC 24762:2008

Answer 130

ISO guide for disaster recovery DRP

Question 131

BS 25999

Answer 131

Part 1, code of practice

Part 2, Specifications for business continuity

Question 132

BCI

Answer 132

Business continuity institute

Question 133

Security Operations

Answer 133

concerned with threats to a production operating environment.

Question 134

Least Privilege AKA Minimum Necessary Access

Answer 134

Persons should have no more access than is necessary for the performance of their duties.

Question 135

Need to Know

Answer 135

Even if you have access, if you do not need to know, then you should not access the data. Example, in a MAC environment, even if you have the clearance - if the information isn’t relevant to you then you aren’t ‘need to know’ and shouldn’t have access.

Question 136

Separation of Dties

Answer 136

Multiple people are required to complete critical or sensitive transactions. Idea is to require multiple people acting un-ethically for something bad to happen. i.e. the payroll administrator can’t also audit accounting logs. Idea

Question 137

Rotation of Duties/Job Rotation

Answer 137

Ensures there’s more depth to the organizational skillset. Simply requires that no one person perform critical functions for too long.

Question 138

Mandatory Leave/Forced Vacation

Answer 138

Prevents an operator from having exclusive use of a system. If they’re doing anything shady - then it will potentially/probably be discovered while they’re out.

Question 139

NDA

Answer 139

Nondisclosure Agreement.

Legally binds a user to confidentiality.

Question 140

Background Checks

Answer 140

Helps ensures quality of candidate.

Question 141

Forensic - Allocated space

Answer 141

portions of disk partition marked as containing active data

Question 142

Forensics - unallocated space

Answer 142

portions of disk that do not contain active date.

Could have never had data - or simply been marked as unallocated but still contains old information.

Question 143

Forensics - Slack Space

Answer 143

When the minimum sized block of information isn’t fully used by a piece of information - the remaining space that isn’t usable is called slack space.

Slack space may contain old/unused information, or might be used by attackers.

Question 144

Forensics - bad blocks/clusters/sectors

Answer 144

Physically unusable space. Attacker might mark space as ‘bad’ in order to use for themselves.

Question 145

Removable Media controls

Answer 145

Put controls on PCs/routers to bar un-known peripherals (USB drives, keyboards, mice, monitors etc)

Question 146

DRP Testing - walkthrough/tabletop

Answer 146

virtual/tabletop simulation of DRP to conceptually run through the whole process. Goal to find any gaps or redundancies, erroneous assumptions, etc.

Question 147

DRP Testing - Simulation test, physical walkthrough drill

Answer 147

Simulate a disaster and have all teams go through the physical motions of response.

Question 148

DRP Test - Parallel processing

Answer 148

Test recovery at another facility and restore data from a backup. Regular systems are not impacted

Question 149

DRP Test- partial business interruption AKA Cutover test

Answer 149

Stop activities at main location, start at backup location