Domain 7, Security Operations Flashcards

Question

IR MGMT Step 1

Answer 1

Prep | Training, policies, procedures, checklist

Answer 2

Detection, AKA identification Events---> Incident

Answer 3

Mitigation, aka Eradication Root Cause Analysis Get rid of the bad things

Answer 4

Reporting Not really a step, this happens throughout the process

Answer 5

Recovery Restore systems and ops Increase monitoring

Answer 6

remediation - long term strategic activity designed to eradicate root cause for identified incidient.

Answer 7

Lessons Learned. Shoudl be documented in a formal process, and assigned as action items with accountability

Answer 8

Detects intrusions

Answer 9

alerts on an actual issue

Answer 10

doesn't alarm on something that it doesn't need to alarm on.

Answer 11

Trips on something that it shouldn't on.

Answer 12

Doesn't trip on something it should trip on.

Answer 13

Network intrusion detection, Network intrusion prevention system

Answer 14

Host Intrusion detection Host intrusion prevention

Answer 15

AKA Signature based, AKA Pattern-matching -compares events to static signatures of known attacks.

Answer 16

Creates a baseline for what activities/events are considered normal. Once baseline is determined, it can now detect 'abnormal' activities

Answer 17

Finds a baseline of normal traffic, then anomaly detection IDS ignores normal traffic. Will alert when it sees odd traffic.

Answer 18

ASsessing and reassessing as an ongoing process

Answer 19

data loss prevention. class of solutions used to detect and prevent data from leaving the org

Answer 20

Only run what is permitted

Answer 21

Separate running programs, in an effort to mitigate system failures from spreading. Test untested or untrusted programs. Detonate malware in a VM.

Answer 22

Hardened baselines and configs. Establishes the baseline of an information technology environment that includes a secure baseline

Answer 23

Capture a snapshot of the current system security config. Establishes an easy means for capturing the current system config.

Answer 24

scan in a way to discover poor configs and missing patches in an environment, with an emphasis on managing those vulnerabilities.

Answer 25

no identified patch or workaround.

Answer 26

Exploit methods is/are available for a vulnerability which has yet to be patched.

Answer 27

Track and audit changes to configuration files. Assess risks of changes.

Answer 28

Service level agreement Stipulate all expectations regarding behavior of the department or organizations. Orgs must negotiate all secure terms of service lvl agreement

Answer 29

Complete copy. Duplicates every file regardless of the archive bit. Once complete, archive bit on every file is reset, turned off, or set to 0.

Answer 30

archives files that have changes since last full or incremental backup. Only files that have the archive bit turned on (set to 1) are duplicated. Once complete, archive bit on every file is reset, turned off, or set to 0.

Answer 31

archives files that have changes since last full (but NOT INCREMENTAL) backup. Only files that have the archive bit turned on (set to 1) are duplicated. DOES NOT CHANGE ARCHIVE BIT once done.

Answer 32

Stripes two or more disks to improve performance, but NOT fault tolerance.

Answer 33

Mirrors, uses two disks both with the same exact data. Provides fault tolerance. Lower write speeds, but potentially higher read speeds.

Answer 34

NOT IN CBK. Byte level striping with dedicated parity

Answer 35

NOT IN CBK. Block lvl striping with dedicated parity

Answer 36

Striping with parity. Uses three or more disks, with one disk holding parity information. Parity allows reconstruction to occur after disk failure via mathematical calculations.

Answer 37

Same as RAID 5, but with two parity disks.

Answer 38

Writes same data to multiple hard disks. Writes are slower read is faster. Costly

Answer 39

Spread data across multiple hard disks. Reads and writes can be performed in parallel acros multiple disks Performance increase on reads and writes

Answer 40

Nested RAID. Configuration is a striped set of mirrors. Uses at least 4 disks, but can support more as long as an even number of disks are added. Can tolerate multiple disk failures, as long as one drive in each mirror continues to operate.

Answer 41

business continuity plan. Long term plan to ensure continuity of business ops

Answer 42

business continuity plan. Long term plan to ensure continuity of business ops Business level scope

Answer 43

Disaster recovery plan | Short term plan to recover from a disruptive event.

Answer 44

Disaster recovery plan Short term plan to recover from a disruptive event. IT oriented scope

Answer 45

Mean time to repair.

Answer 46

Mean time to repair.

Answer 47

Weather, earthquake

Answer 48

Malware, assault, large portions of workforce leaving.

Answer 49

HVAC fails, power outage

Answer 50

Begin processing the damage | Initial assessment

Answer 51

Activate team

Answer 52

comms must be out of band. Ensuretimely updates. Org should be prepared for external comms

Answer 53

More detailed and thorough assessment Assess damage Team could recommend ultimate restoration/reconstitution at different site

Answer 54

Recover business ops at primary or secondary site. Salvage team activated at primary facility

Answer 55

``` Project initiation scope the project business impact analysis identify preventive controls Recovery strategy Plan design, and develpment implementation, training, and testing BCP/DRP ```

Answer 56

NIST contigency planning guide.

Answer 57

7 1. Develop contigency plan 2. Conduct business impact ianalysis 3. Identify preventive controls 4. develop recovery strategies 5. Develop IT contigency plan 6. Plan testing, training, excercises 7. Plan maintenance of documents

Answer 58

Team set up to determine responsibilities and objectives of continuity plan.

Answer 59

Recovery time objective. How quickly something a system can be brought back on line, but not integrity hasn't been verified yet.

Answer 60

Work recovery time. After system is online, time to verify integrity of system.

Answer 61

need exec support for - initiating the scoping process, - and also need to sign off on final approval. - need to excercise due diligence and due care

Answer 62

process to determine which iniformation systems are critical. difficult to do because how important something is depends soley on who uses it. when compilinng the critical state and asset list, the Project manager should not how assets impact the org

Answer 63

correlate IT systems to critical services they support. Aims to quantify the consequence of disruption

Answer 64

Business impact analysis 1. Identify critical assets 2. Conduct DRP/BCP focused risk assessment

Answer 65

Max tolerable downtime = Recovery time objective + Work recovery time MTD = RTO +WRT

Answer 66

recovery point objective, how much data you can afford to lose

Answer 67

Minimum operating requirements usually applies to environmentals.

Answer 68

exact replica, very expensive. no data loss in event of disaster at primary site

Answer 69

Less than one hour of downtime. Has all infrastructure for resuming normal business operations.

Answer 70

Most aspects of a hot site, but relies on backups to get systems up and running. MTD of 1-3 days

Answer 71

not equipment, no backup data. Typically just physical building. 1-3 weeks of MTD

Answer 72

Two businesses promise to cover each others' business needs in event of disaster.

Answer 73

data center on wheels.

Answer 74

Continutity of operastions plan. Focuses exclusively on operations.

Answer 75

Business recovery plan/ business resumption plan details plan to resume normal operations AFTER recovering from disaster/disruptive event. picks up after COOP is complete.

Answer 76

continuity of support plan. Helpdesk/IT oriented continuity plan.

Answer 77

Cyber Incident Response Plan

Answer 78

Occupant emergency plan

Answer 79

Crisis Management Plan Details actions required of management in a disaster.

Answer 80

crisis communications plan - Plan for communicating to staff in event of a disaster. Component of CMP

Answer 81

each employee is responsible for calling a small number of other employees in event of a disaster.

Answer 82

emerency ops center

Answer 83

vital documentation needed for normal operations. Licenses, checkbooks, contracts

Answer 84

analysis of binary disk images

Answer 85

attempts to determine the underlying weakness or vulnerability.

Answer 86

determines line of succession in event an executive is unable to lead.

Answer 87

determines line of succession in event an executive is unable to lead.

Answer 88

method to ensure you have long backup windows, but don't require too much tape.

Answer 89

batch process of electronically transmitting data that is backed up on a routine. Offsite facility

Answer 90

log of all database transactions.

Answer 91

Updates a backup DB automatically when live DB is changes. Two or more backup DBs

Answer 92

source code is held by an impartial 3rd party in case software vendor goes out of business.

Answer 93

on paper data. In hurricane prone areas, businesses often develop a paper-only DRP

Answer 94

Plan is only as effective as the last time it was updated and tested. Should be performed at least yearly.

Answer 95

Review the plan, read the whole thing. AKA consistency testing. Lists all necessary components. Ensures they're readily available in event of disaster.

Answer 96

Intentional outage. Can actually cause a real disaster. More common in fully redundant, load balanced operation.

Answer 97

DRP specific training to bring employees up to speed.

Answer 98

DRP specific training to bring employees up to speed.

Answer 99

must be kept up to date. Must keep pace with all critical IT/Business changes. Change management

Answer 100

BCP/DRP Framework from NIST

Answer 101

BCP Framework from ISO

Answer 102

BCP Framework from ISO

Answer 103

ISO Acronym, Information and Comms Technology

Answer 104

ISO Acronym, Information security mgmt system.

Answer 105

ISO guide for disaster recovery DRP

Answer 106

Part 1, code of practice | Part 2, Specifications for business continuity

Answer 107

Business continuity institute

Answer 108

concerned with threats to a production operating environment.

Answer 109

Persons should have no more access than is necessary for the performance of their duties.

Answer 110

Even if you have access, if you do not need to know, then you should not access the data. Example, in a MAC environment, even if you have the clearance - if the information isn't relevant to you then you aren't 'need to know' and shouldn't have access.

Answer 111

Multiple people are required to complete critical or sensitive transactions. Idea is to require multiple people acting un-ethically for something bad to happen. i.e. the payroll administrator can't also audit accounting logs. Idea

Answer 112

Ensures there's more depth to the organizational skillset. Simply requires that no one person perform critical functions for too long.

Answer 113

Prevents an operator from having exclusive use of a system. If they're doing anything shady - then it will potentially/probably be discovered while they're out.

Answer 114

Nondisclosure Agreement. Legally binds a user to confidentiality.

Answer 115

Helps ensures quality of candidate.

Answer 116

portions of disk partition marked as containing active data

Answer 117

portions of disk that do not contain active date. Could have never had data - or simply been marked as unallocated but still contains old information.

Answer 118

When the minimum sized block of information isn't fully used by a piece of information - the remaining space that isn't usable is called slack space. Slack space may contain old/unused information, or might be used by attackers.

Answer 119

Physically unusable space. Attacker might mark space as 'bad' in order to use for themselves.

Answer 120

Put controls on PCs/routers to bar un-known peripherals (USB drives, keyboards, mice, monitors etc)

Answer 121

virtual/tabletop simulation of DRP to conceptually run through the whole process. Goal to find any gaps or redundancies, erroneous assumptions, etc.

Answer 122

Simulate a disaster and have all teams go through the physical motions of response.

Answer 123

Test recovery at another facility and restore data from a backup. Regular systems are not impacted

Answer 124

Stop activities at main location, start at backup location