Domain 7: Security Operations Flashcards

1
Q

Recommended height of a security fence

A

8 feet with barbed wire to keep most intruders out.

6-7 feet too hard to climb easily but won’t keep determined intruders out.

3-4 feet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Smurf Attack

A

A Smurf attack spoofs the source IP address with the victim’s address and floods the broadcast address with internet control message protocol (ICMP) requests. This causes devices on the network to send an ICMP reply to the victim for each ICMP request sent by the attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Separation of Duties

A

Separation of duties allows for two or more people to play separate roles in the completion of a critical process. Two people serving separate functions at the same time within a holistic process can allow for auditing and accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

MTD

A

Maximum tolerable Downtime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SLE

A

Single Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

RPO

A

Recovery Point Objective

Defines how much data can be lost in terms of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Exposure Factor

A

The percentage of loss that an organization would experience if a specific asset were violated by a realized risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

RTO

A

Recovery Time Objective.

Should NOT exceed MTD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Duress Function

A

Covertly signal that the individual disarming the alarm system is being coerced to do so, even while the appearance of compliance is maintained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Syn Flood

A

In a SYN flood attack, a client exploits the TCP three-way handshake by only sending SYN packets but never responding. The volume of resources this consumes on the host eventually causes the host to become overwhelmed and unresponsive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Ping of Death

A

A Ping of death (PoD) attack is a denial-of-service (DoS) attack, in which the attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash. The original ping of death attack is less common today.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Fraggle attack

A

DOS Attack similar to Smurf attack. Difference is that it uses UDP port 7 and 19 instead of ICMP.

Attacker spoof the source IP address so that UDP responses to there instead of to the attacker. DOS attack against that spoofed address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How long should it take to activate a hot site?

A

A few minutes to a few hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How long should it take to activate a warm site?

A

Few hours to a few days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How long should it take to activate a cold site?

A

A few days to a few weeks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

During a cybersecurity investigation, what is considered MOST important?

A

Preservation of Evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How well lit should a parking lot or perimeter of building be?

A

Two foot-candles

A foot-candle is one lumen per square foot. The accepted standard for lighting used in parking lots or perimeters is a minimum of two foot-candles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Capacitance IDS

A

A capacitance intrusion detection system detects changes in the electromagnetic field around the sensor. When a person walks into the field, it disturbs the field’s electromagnetic properties and will set off the alarm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Configuration management

A

Configuration Management is used to ensure secure baselines on systems are adequately maintained, and any deviations are authorized and documented. Configuration Management seeks to establish safe, reliable configurations for systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Change Management Plan

A

A Change Management Plan is a generic plan that documents how changes will be monitored and controlled. It defines the process for managing change in the project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Need to know principle

A

The need to know principle is used to determine if a user’s access to certain information is necessary to perform their job role sufficiently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

RAID 1

A

Disk Mirroring. Requires at least 2 disks, with exact copies of the same data on each.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

EDRM

A

Electronic Discovery Reference Model.

Used in eDiscovery. Four phases

Identification

Collection

Processing

Review

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Full backup

A

Complete copy of the target system, file, or data structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Differential backup

A

A differential backup captures changes since the last full backup.

24
Q

incremental backup

A

An incremental backup captures all the changes since the last full or incremental backup.

25
Q

Parallel Test

A

A parallel test includes performing all steps of a real recovery, except that you keep the live production systems running in the original location during the test. The actual production systems run in parallel with the disaster recovery systems.

26
Q

Most common type of perimeter defense.

A

Lighting

27
Q

Syn-Ack Spoofing (Control not attack)

A

Many NGFWs can spoof Syn-ack conversations on behalf of the target system. Once the far end has proven it’s real (by continuing the 3-way handshake) - then the traffic is passed along to the target host

28
Q

Statistical Sampling

A

Technique that can be used with Log analysis to reduce the sheer volume of logs to inspect.

29
Q

Passive Monitoring vs Active Monitoring

A

Passive Monitoring: Uses network tap or span port to capture traffic to analyze it without impacting the network.

Active Monitoring, AKA Synthetic Monitoring: USes recorded or generated traffic to test for performance and other issues.

30
Q

Signature based monitoring

A

Uses file signatures to review file danger. i.e. ips, ids, antimalware.

31
Q

Teardrop Attack

A

Exploits a flaw in a system’s ability to re-asseble oversized fragmented packets. Attacker sent oversized fraged packets that cause the victim system to crash when assembled.

OSG page 817

32
Q

Evidence requirements

A

Relevant to determining a fact

Material (related to ) to the case.

Competent - meaning obtained legally.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 913, 919-920.

33
Q

Remote Mirroring

A

When an exact copy of a database is maintained at an alternate location.

This is real-time

34
Q

Electronic Vaulting

A

Method of storing complete copy of DB in another location, but does NOT do so in real time.

35
Q

Remote Journaling

A

Realtime offsite duplication of database transaction logs, but NOT the DB itself.

36
Q

Transaction Logging

A

SEE OSG

37
Q

Clipping (alerting)

A

Analysis Technique that only reports alerts after exceeding a specific threshold. Specific form of sampling.

38
Q

Application Log

A
39
Q

System Log

A

Records system events, such as when a system starts or stops, or services start/stop, or when service attributes are modified.

40
Q

Can an IDS determine if an attack was successful or not?

A

Usually not- it doesn’t have direct access to see process information on target systems.

41
Q

Documentary Evidence

A

Documentary evidence consists of any written items that prove or disprove facts. Documentary evidence generally must be authenticated by firsthand evidence to prove the evidence’s trustworthiness.

42
Q

Real Evidence

A

AKA Object evidence.

Consists of thing that may actually be brought physically into the court of law. i.e. murder weapon, clothing, other physical objects.

In computer crime, may be a seized computer.

43
Q

Documentary Evidence Rules

A

Best Evidence Rules - states that the original document has to be introduced, not a copy.

Parol Evidence Rule - When an agreement between parties is put in written form, the document is assumed to contain all terms of the agreement and no verbal agreements may modify the written agreement.

44
Q

Testimonial Evidence

A

Witness testimony.

45
Q

Demonstrative Evidence

A

Used to support testimonial evidence.

Example, if a witness is explaining a network - they may use a network map as a demonstration device.

46
Q

Clipping (alerting)

A

The predetermined threshold for the number of errors, or the number of times an error occurs before it is considered suspicious

47
Q

Capacitance Motion Detector

A

A capacitance motion detector contains an electromagnetic field surrounding the device. When an object is present, changes to that field are detected and trigger an alarm.

48
Q

Wave Pattern motion detector

A

A wave pattern motion detector transmits a consistent low ultrasonic frequency signal into a monitored area to discover significant or meaningful changes or disturbances in the reflected pattern.

49
Q

Faraday bag

A

faraday bag prevents electromagnetic interference and the ability to remotely wipe or otherwise interact with a device remotely

50
Q

Should you analyze the original RAM or Hard drive?

A

NO - original evidence shouldn’t be touched beyond taking copies. Analyze the copies.

51
Q

Warded lock

A

Lock that uses obstructions to prevent the lock opening

52
Q

DHCP Snooping uses

A

Prevent ARP Poisoning attack.

Prevents rogue DHCP servers

Binds MAC addresses to IP addresses for trustworthiness.

53
Q

Direct Evidence

A

Direct evidence may come from witnesses who give oral testimony based on their observations. Direct evidence cannot be hearsay, which is second-hand testimony.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 913-916.

54
Q

Circumstantial evidence

A

Used to prove an intermediate fact used to assume another fact.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 913-916.

55
Q

Conclusive Evidence

A

Conclusive evidence is irrefutable and cannot be contradicted.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 913-916.

56
Q

Hierarchical Storage Management

A

Processof putting older backups on slower, cheaper forms of media - and newer backups on faster, more accessible forms of media.

Hierarchical Storage Management (HSM) system dynamically manages data across different storage media to optimize for access speed or media cost. This technology is frequently used in backup solutions. For example, a HSM will transfer last week’s backup from Solid-State Drives (SSDs) to spindle drives and, after a month, it may transfer it to tape.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 896.

57
Q

Do normal home/business insurance policies cover floods?

A

Not usually

58
Q

Proximity card

A

uses an electromagneticT coil for identification.

59
Q

SSAE18 and SOC

A

SSAE 18 is an attestation standard often used in SOC Audits.

60
Q

Impersonation - AKA Spoofing, AKA Masquerading

A

Act of taking on the identity of someone else.