Domain 7 - Security Operations

Question 1

User and entity behavior analytics (UEBA)

Answer 1

• entity behavior is collected and input to a threat model, model establishes baseline of normal based on historical data, enables analysis to uncover anomalies

Question 2

Threat intel feeds

Answer 2

• feed containing malicious entities ingested by cyber tools, educational tools for threat landscape changes, single feed may contain many sources including OSINT, entity = IP, website, actor, hashes

Question 3

Role of AI and ML (SecOps)

Answer 3

• automate analysis, automated investigation feature, quickly analyze millions of events and identify many different types of threats, profiles are built on users/ assets/ networks/ devices allowing AI to detect and respond to deviations from established norms, factor in anti-malware, SIEM, IDS/IPS, IDaaS

Question 4

Collusion

Answer 4

• agreement among multiple persons to perform unauthorized action

Question 5

Separation of duties

Answer 5

• ensure 1 person doesn’t control all elements of a critical function

Question 6

Job rotation

Answer 6

• employees rotated into different jobs or tasks, flush out fraud

Question 7

Monitoring privileged operations

Answer 7

• monitor all assignment of privileges and the use of privileged operations, can detect many attacks because attackers commonly use special privileges

Question 8

Information lifecycle

Answer 8

• Creation (file creation by user or system logs) > classification (to ensure its handled properly) > storage (protect data with adequate controls based on classification) > usage (anytime data is in use or in transit) > archive (sometimes needed to comply with laws or regulations) > destruction (destroyed in a way so it is not readable)

Question 9

Service level agreements

Answer 9

-performance expectations like max downtimes/ availability numbers, can include penalties, usually applies to vendors

Question 10

Secure provisioning

Answer 10

• ensures that resources are deployed in a secure manner and maintained in a secure manner throughout lifecycle, ie PC deployed from secure image

Question 11

Virtual assets

Answer 11

• VMs, VDIs, SDN, SAN, hypervisors are primary component that manage virtual assets but also provide attackers with an additional target, KEEP IT PATCHED!!

Question 12

Configuration management

Answer 12

ensures that systems are configured in a similar manner, configs are KNOWN and DOCUMENTED

Question 13

Baselining

Answer 13

• ensures systems are deployed with a common baseline ie imaging, policy based config (GPOs), can then be TAILORED as needed

Question 14

Change management

Answer 14

• helps reduce outages/ weakened sec from unauthorized changes, make sure all changes are documented/ discussed/ authorized, changes are tested approved and documented

Question 15

Versioning

Answer 15

• uses labeling/ numbering to track changes in software, helpful in change management process

Question 16

Patch management

Answer 16

• ensures systems are kept up to date with current sec patches, evaluate/ test/ approve/ deploy patches, system audits verify the deployment of approved patches to system, vuln scanner can identify missing patches

Question 17

Vuln scanners

Answer 17

• detect vulns, weaknesses, absence of patches, weak passwords ie tenable, qualys

Question 18

Vuln assessments

Answer 18

• includes review and audits to detects vulns in addition to a scan

Question 19

Detection (IR)

Answer 19

• monitoring tools, IPS, firewalls, notifying management

Question 20

Response (IR)

Answer 20

• triage (is it really an incident?), decision to declare, LIMIT DAMAGE

Question 21

Mitigation (IR)

Answer 21

• first containment effort or step, create team, CONTAINMENT IS HERE

Question 22

Reporting (IR)

Answer 22

• to relevent stakeholders (customers, vendors, law enforcement), MANAGEMENT DECISION

Question 23

Recovery (IR)

Answer 23

• returning to normal ops, MANAGEMENT DECISION

Question 24

Remediation (IR)

Answer 24

• root cause is addressed, ROOT CAUSE ANALYSIS

Question 25

Lessons learned (IR)

Answer 25

• prevent recurrence, improve IR process

Question 26

Denial of Service attacks (DoS)

Answer 26

• prevent a system from responding to legit requests for service, blocks resources

Question 27

SYN flood attack

Answer 27

• disrupts TCP 3 way handshake

Question 28

Smurf attack

Answer 28

• amplification network (systems under control of bad actor) to send many response packets to victim

Question 29

Botnet

Answer 29

-collection of compromised computing devices (often called bots or zombies)

Question 30

Bot herder

Answer 30

• attacker who remotely controls botnet via a C2 server, often use them to launch attacks or send phishing emails

Question 31

Honeypot

Answer 31

• has pseudo flaws and fake data to lure/ distract intruders, cant entrap someone to commit an actual crime, as long as attackers are in the honeypot they are not in the live network and admins can observe, some IDS can transfer attackers to padded cell after detection (hardened honeypot)

Question 32

Anti-malware software

Answer 32

• up to date definitions, installed on each system/ boundary device/ email servers/ etc, also has behavioral analysis now

Question 33

Policies (blocking malicious code)

Answer 33

• enforce basic sec principles ie least privilege, no local admin, etc

Question 34

Education (blocking malicious code)

Answer 34

• teaching users about risks and methods attackers use to spread viruses

Question 35

Penetration tests

Answer 35

• discover vulns then mimic an attack to identify what can be exploited, not without consent and knowledge from management, can result in damage so should be done on isolated systems whenever possible, schedule at time of minimal activity

Question 36

Black box pentesting

Answer 36

• no knowledge of environment

Question 37

White box pentesting

Answer 37

• full knowledge of environment, open book test

Question 38

Gray box pentesting

Answer 38

• partial knowledge of environment

Question 39

IDS

Answer 39

• can respond by passively logging and notifying OR actively by changing the environment, reactive
  § HIDS - monitor activity on single system only, attackers can discover and disable
  § NIDS - monitor activity on a network, not as visible to attackers

Question 40

IPS

Answer 40

• placed inline with traffic, can block malicious traffic before it reaches target, proactive

Question 41

Espionage

Answer 41

• external threat, competitor tries to steal info

Question 42

Sabotage

Answer 42

• insider threat, malicious insiders can become disgruntled, ie mass deletion/ server shutdowns, data theft

Question 43

Zero-day exploits

Answer 43

• attack that uses a vulnerability that is either unknown to anyone but the attacker or a limited # of people, basic sec practices can often prevent these from being fully utilized

Question 44

Common log files

Answer 44

• security logs, system logs, application logs, firewall logs, proxy logs, protected by centrally storing them and restricting access so they can’t be modified, read only!

Question 45

Monitoring

Answer 45

• form of auditing, focuses on active review of log file data, used to hold subjects accountable and monitor system performance, automated by IDS/ SIEM

Question 46

Audit trails

Answer 46

• used to reconstruct event, prove culpability, DETECTIVE security control, essential evidence in prosecution of criminals

Question 47

Sampling

Answer 47

• extracting elements from a large body of data, construct a meaningful representation of the whole set of data

Question 48

Statistical sampling

Answer 48

• uses precise math function to extract meaningful info from a large volume of data

Question 49

Clipping

Answer 49

• non-statistical sampling, records only events that exceed a threshold

Question 50

Accountability

Answer 50

• maintained for individual users aka subjects through AUDITING, logs record user activities and users can be held accountable for logged actions, promotes good user behavior because people know theyre being watched

Question 51

Security audits/ reviews

Answer 51

• help ensure that management programs are effective and being followed, commonly associated with account management to prevent violations with least priv and need to know, can be used to oversee many programs and processes ie patch/ vuln/ change/ config management

Question 52

Auditing

Answer 52

• examination of environment to ensure compliance, DETECTIVE control, frequency is based on risk, degree of risk affects how often an audit is performed, secure environments rely heavily on audits

Question 53

Due care

Answer 53

• act with common sense, prudent management, responsible

Question 54

Controlling access to audit reports

Answer 54

• contain sensitive info, purpose/ scope and any results discovered, only people with sufficient priv should have access, senior sec admins should have full details, senior management only needs high level summary to meet their requirement for due care

Question 55

Access review

Answer 55

• ensures object access and account management practices support the security policy

Question 56

User entitlement audit

Answer 56

• ensure that least priv is followed and focused on privileged accounts

Question 57

Access control audit

Answer 57

• can track logon success and failure of any account, incloud resources (object) access and action performed on resources ie mass file exfiltration, IDS can monitor these logs and easily identify attacks and notify admins

Question 58

Computer crime

Answer 58

• military and intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, thrill attacks

Question 59

Electronic discovery

Answer 59

• eDiscovery, info ID and governance, preservation and collection, processing, review and analysis, production and presentation (in case of lawsuit will need to present data)

Question 60

Possession (evidence gathering)

Answer 60

• must have possession of equipment/ data to analyze and use it as evidence

Question 61

Modification (evidence gathering)

Answer 61

• must acquire evidence w/o modifying it or allowing anyone else to modify it

Question 62

Chain of evidence

Answer 62

• aka chain of custody, documents all who handle evidence

Question 63

Voluntary surrender

Answer 63

• ask the person who owns the evidence to voluntarily surrender it for investigation

Question 64

Subpoena

Answer 64

• compels a subject to surrender evidence

Question 65

Search warrant

Answer 65

• when you need to confiscate evidence w/o giving subject the opportunity to alter it

Question 66

Data retention

Answer 66

• ensure critical logs are retained for a reasonable period of time based on sec policy/ regulatory requirements, can be maintained in place or in archives

Question 67

Best evidence

Answer 67

• original

Question 68

Secondary evidence

Answer 68

• copy

Question 69

Direct evidence

Answer 69

• proves or disproves an act based on the 5 senses ie something seen or heard in the 1st person

Question 70

Conclusive evidence

Answer 70

• cannot be disproven, overrides all other types

Question 71

Circumstantial evidence

Answer 71

• inferred from other info, often comes up in financial crimes

Question 72

Corroborative evidence

Answer 72

• supporting evidence that cannot stand on its own

Question 73

Opinions (evidence)

Answer 73

• expert and non-expert

Question 74

Hearsay (evidence)

Answer 74

• not based on first hand knowledge

Question 75

Evidence admissibility

Answer 75

• must be relevant to the case, must be material to the case, must be competent or legally collected, must comply with traditional notions of reliability ie court is satisfied with handling and type of evidence

Question 76

Real evidence

Answer 76

• consists of ACTUAL objects that can be brought into a courtroom

Question 77

Documentary evidence

Answer 77

• consists of written documents that provide insight into the facts

Question 78

Testimonial evidence

Answer 78

• consists of verbal or written statements made by witnesses

Question 79

Evidence collection

Answer 79

• start as soon as incident is discovered, collect as much evidence as possible, can be used in legal action or in finding attacker identity, determine extent of damage

Question 80

Natural disasters

Answer 80

• earthquakes, floods, tornados, etc. can be location specific ie hurricanes by the coast

Question 81

Man made disasters

Answer 81

• explosions, electrical fires, terrorist acts, power outages, other utility failures

Question 82

Hot site

Answer 82

• “proactive” site, replication of production environment, keep servers and a live backup site up and running, allows for IMMEDIATE cutover in case of disaster, is a MUST for mission critical sites, HIGH COST LOW EFFORT

Question 83

Warm site

Answer 83

• “preventative” site, allows pre-installed hardware and pre-configured bandwidth, if disaster strikes just load software and data to restore business systems MEDIUM COST MEDIUM EFFORT

Question 84

Cold site

Answer 84

• just data center space, power, network connectivity. Ready when you need it. If disaster strikes, engineering and logistical support teams can help move hardware into the data center to get you up and running, LOW COST HIGH EFFORT

Question 85

Service Bureau

Answer 85

• company that leases computer time, own large server farms and often fields of workstations, may be onsite or remote

Question 86

Mobile site

Answer 86

• non-mainstream alternative to traditional recovery sites, consist of self-contained trailers or other easily relocated units

Question 87

Recovery point objective (RPO)

Answer 87

• age of files that have to be recovered from backup storage for normal ops to resume if a system or network goes down

Question 88

Recovery time objective (RTO)

Answer 88

• duration of time and service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity

Question 89

Mutual Assistance Agreements (MAAs)

Answer 89

• entities agree to provide assistance to each other before during and after an emergency, inexpensive alternative to disaster recovery sites, can happen between gov agencies often, CONS: orgs may be shut down by same disaster and this does raise confidentiality concerns, difficult to enforce if one side lets the other down

Question 90

Business continuity planning

Answer 90

• STEPS: Project scope and planning > business impact assessment > continuity planning > approval and implementation. GOAL: efficient response to enhance a companys ability to recover from a disruptive event promptly

Question 91

BCP (business continuity plan)

Answer 91

• organizational plan for HOW TO continue business

Question 92

COOP (Continuity of operations plan)

Answer 92

• plan for continuing to do business until IT infrastructure is restored

Question 93

DRP (Disaster recovery plan)

Answer 93

• plan for recovering from an IT disaster and having the IT infrastructure back in operation

Question 94

BRP (business resumption plan)

Answer 94

• plan to move from the disaster recovery site back to business environment/ back to normal operations

Question 95

MTBF (mean time between failures)

Answer 95

• time determination for how long a piece of IT infrastructure will continue to work before it fails

Question 96

MTTR (mean time to repair)

Answer 96

• how long it takes to get a piece of hardware/ software repaired and back online

Question 97

MTD (max tolerable downtime)

Answer 97

• time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate the DRP

Question 98

Goals of DR and BCP

Answer 98

• minimize effects of a disaster, improving responsiveness by the employees in different situations, ease confusion by providing written procedures and participation in drills, help make logical decisions during a crisis/ extreme stress

Question 99

Read through test

Answer 99

• distribute copies of DRP for members of the disaster recovery team to review

Question 100

Structured walk-through test (tabletop exercise)

Answer 100

• members of the disaster recovery team gather in a large conference room and role play a disaster scenario AKA tabletop exercise, scenario is known only to the moderator

Question 101

Simulation test

Answer 101

• similar to structured walkthrough, except response measures are then tested on NON-CRITICAL FUNCTIONS

Question 102

Parallel test

Answer 102

• relocate personnel to alternate recovery site and implement site activation procedures. Employees perform DRP responsibilities

Question 103

Full interruption test

Answer 103

• shutting down ops at primary site and using the backup/ recovery site

Question 104

Recovery team

Answer 104

• get critical business functions running at alternate site

Question 105

Salvage team

Answer 105

• returns primary site to normal processing conditions

Question 106

Electronic vaulting

Answer 106

• transfer database backups to a remote site as part of a bulk transfer

Question 107

Remote journaling

Answer 107

• transmitting journal/ transaction logs to the off site facility (not actual files)

Question 108

Remote mirroring

Answer 108

• live database server is maintained at the backup site, most advanced database backup solution (most expensive backup strategy)

Question 109

Non-disaster (disruption category)

Answer 109

• disruption is service from malfunction or user error

Question 110

Disaster (disruption category)

Answer 110

• whole facility unusable for a day or longer

Question 111

Catastrophe (disruption category)

Answer 111

• major disruption that destroys facility altogether, requires short and long term solution

Question 112

Uniform Computer
Information
Transactions Act
(UCITA)

Answer 112

Common framework for the conduct of computer-related
business transactions. A federal law Eg. Use of software
licensing