Domain 7: Security Operations Flashcards

Question 1

Q

Clipping levels

Answer

A

Clipping levels should be implemented to establish a baseline of user activity and acceptable errors.

Question 2

Q

Why separation of duties?

Answer

A

Separation of responsibilities and duties should be in place so that if fraud takes place it requires collusion.

Question 3

Q

What should be in place to manage changes?

Answer

A

Change control
Configuration management

Question 4

Q

Change management activities

Answer

A

Requesting a change
Approving a change
Documenting a change
Testing a change
Implementing a change
Reporting to management

Question 5

Q

How do you counter equipment failure?

Answer

A

Proper fault-tolerant mechanisms

Question 6

Q

Continuous monitoring

Answer

A

Continuous monitoring allows organizations to maintain ongoing awareness of information security vulnerabilities and threats to support organizational risk management decisions.

Question 7

Q

Whitelist

Answer

A

A whitelist is a set of known-good resources such as IP addresses domain names or applications.

Conversely a blacklist is a set of known-bad resources.

Question 8

Q

SIEM

Answer

A

A security information and event management (SIEM) system is a software platform that aggregates:

Security information (like asset inventories)
Security events (which could become incidents)

and presents them in a single consistent and cohesive manner.

Question 9

Q

Key aspects of operational security

Answer

A

The key aspects of operational security include:

Resource protection
Change control
Hardware and software controls
Trusted system recovery
Separation of duties
Least privilege

Question 10

Q

Least privilege

Answer

A

Least privilege ensures that users administrators and others accessing a system have access only to the objects they absolutely require to complete their job.

Question 11

Q

Conflict between physical security and human safety

Answer

A

Some physical security controls may conflict with the safety of people. These issues need to be addressed; human life is always more important than protecting a facility or the assets it contains.

Question 12

Q

Proximity identification

Answer

A

Proximity identification devices can be:

User activated (action needs to be taken by a user)
System sensing (no action needs to be taken by the user)

Question 13

Q

Transponder

Answer

A

A transponder is a proximity identification device that does not require action by the user.

The reader transmits signals to the device and the device responds with an access code.

Question 14

Q

Intrusion detection system examples

Answer

A

Intrusion detection devices include:

Motion detectors
CCTVs
Vibration sensors
Electromechanical devices

Question 15

Q

Cons of intrusion detection systems

Answer

A

Can be penetrated
Are expensive to install and monitor
Require human response
Are subject to false alarms

Question 16

Q

Pros and cons of CCTV

Answer

A

Enables one person to monitor a large area

Should be coupled with alerting functions to ensure proper response

Question 17

Q

Pros and cons of security guards

Answer

A

Security guards are expensive
Provide flexibility in response to security breaches
Can deter intruders from attempting an attack

Question 18

Q

Vulnerability management

Answer

A

Vulnerability management is the cyclical process of:

Identifying vulnerabilities
Determining the risks they pose to the organization
Applying security controls that bring those risks to acceptable levels

Question 19

Q

Patch management

Answer

A

Patch management is the process for identifying acquiring installing and verifying patches for products and systems.

Question 20

Q

Egress monitoring

Answer

A

Egress monitoring is the practice of tracking (and perhaps restricting) the information that is flowing out of a network.

Question 21

Q

Offsite backup location types

Answer

A

Hot sites
Warm sites
Cold sites

Question 22

Q

Reciprocal Agreement

Answer

A

A reciprocal agreement is one in which a company promises another company it can move in and share space if it experiences a disaster and vice versa.

Reciprocal agreements are very tricky to implement and may be unenforceable. However they offer a relatively cheap offsite option and are sometimes the only choice.

Question 23

Q

Hot site

Answer

A

A hot site is fully configured with hardware software and environmental needs.

It can usually be up and running in a matter of hours. It is the most expensive option but some companies cannot be out of business longer than a day without very detrimental results.

Question 24

Q

Warm site

Answer

A

A warm site does not have computers but it does have some peripheral devices such as disk drives controllers and tape drives.

This option is less expensive than a hot site but takes more effort and time to become operational.

Question 25

Q

Cold site

Answer

A

A cold site is just a building with power raised floors and utilities. No devices are available.

This is the cheapest of the three options but can take weeks to get up and operational.

Question 26

Q

RTO

Answer

A

Recovery time objective (RTO) is the maximum time period within which a business process must be restored to a designated service level after a disaster to avoid unacceptable consequences.

Question 27

Q

RPO

Answer

A

Recovery point objective (RPO) is the acceptable amount of data loss measured in time.

Question 28

Q

MTBF

Answer

A

Mean time between failures (MTBF) is the predicted amount of time between inherent failures of a system during operation.

Question 29

Q

MTTR

Answer

A

Mean time to repair (MTTR) is the estimated amount of time it will take to get a device fixed and back into production after its failure.

Question 30

Q

High availability

Answer

A

High availability refers to a system component or environment that is continuously operational.

Question 31

Q

High availability for DR

Answer

A

High availability for disaster recovery is often a combination of technologies and processes that include:

Backups
Redundancy
Fault tolerance
Clustering
Load balancing

Question 32

Q

How are data recovery and data restoration accomplished?

Answer

A

Vaulting
Backups
Replication technologies

Question 33

Q

Who returns first to original site after a disaster?

Answer

A

When returning to the original site after a disaster the least critical organizational units should go back first.

Question 34

Q

COOP

Answer

A

COOP focuses on restoring an organization’s (usually a headquarters element) essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations.

This term is commonly used by the U.S. government to denote BCP.

Question 35

Q

Business interruption insurance

Answer

A

Business interruption insurance covers the loss of income that an organization suffers after a disaster while it is in its recovery stage.

Question 36

Q

Due diligence vs. Due care

Answer

A

Due diligence means you’re identifying and analyzing risks
Due care means you’re taking prudent actions day in and day out to mitigate them

Question 37

Q

Negligence

Answer

A

Elements of negligence include:

Not fulfilling a legally recognized obligation
Failure to conform to a standard of care that results in injury or damage
Proximate causation

Question 38

Q

Why evidence chain of custody?

Answer

A

To ensure that it will be admissible in court by showing it was properly controlled and handled before being presented in court.

Question 39

Q

What makes business records admissible?

Answer

A

To be admissible in court business records have to be:

Made and collected in the normal course of business
Not specially generated for a case in court

Business records can easily be hearsay if there is no firsthand proof of their accuracy and reliability.

Question 40

Q

Evidence lifecycle

Answer

A

The life cycle of evidence includes:

Identification
Collection
Storage
Preservation
Transportation

Question 41

Q

MOM

Answer

A

Motive Opportunity and Means (MOM)

Question 42

Q

When is evidence admissible?

Answer

A

For evidence to be admissible in court it needs to be:

Relevant
Complete
Sufficient

Question 43

Q

Legally permissible

Answer

A

Evidence must be legally permissible meaning it was seized legally and the chain of custody was not broken.

Question 44

Q

Duress

Answer

A

Duress is the use of threats or violence against someone in order to force them to do something they don’t want to do or otherwise wouldn’t do.

Question 45

Q

Describe an audio amplification motion detector.

Answer

A

Audio detectors simply monitor a room for any abnormal sound wave generation and trigger an alarm. Audio detectors are passive, in that they do not generate any fields or patterns as do wave pattern or capacitance detectors. This type of detection device generates a higher number of false alarms than the other two methods and should be used only in areas that have controlled ambient sound.

Question 46

Q

Name at least five factors an organization should consider and plan for when designing a new site.

Answer

A

Walls
Doors
Ceilings
Floors
Windows
Electrical requirements
Fire detection
Fire escapes
Walls: Must have acceptable fire rating from floor to ceiling.
Doors: If doors are electrical-powered, what state are they in if there is a power loss? An unlocked (or disengaged) state allows employees to exit and not be locked in. If a door lock defaults to open when power is disengaged, it is considered fail safe. If the lock defaults closed, it is considered fail secure.
Ceilings: Need to be waterproof and have an adequate fire rating. Additionally they must be reinforced to keep unauthorized personnel from accessing secure areas.
Floors: The following are the concerns about flooring:
- Slab: If the floor is a concrete slab, the concerns are the physical weight it can bear (known as loading, which is commonly 150 pounds per square foot) and its fire rating.
- Raised: The fire rating, its electrical conductivity (grounding against static buildup), and that it employs a nonconducting surface material are concerns of raised flooring in the data center.
Windows: Interior or exterior windows need to be fixed in place and must be shatterproof. Depending on placement, the windows might need to be either opaque or translucent. Alarms or sensors also might be needed.
Electrical requirements: Adequate power must be available for the right locations. Rooms that have servers or other heat-producing equipment need additional cooling to protect the equipment. HVAC systems should be tied to fire-suppression equipment.
Fire detection: Smoke detectors should be used to inform employees of danger. Sprinklers and detectors should be used to reduce the spread of fire.
Fire escapes: How will employees exit the facility if a fire occurs?

Question 47

Q

Describe a capacitance motion detector.

Answer

A

Capacitance detectors monitor an electrical field surrounding the object being monitored.

Capacitance detectors are used for spot protection within a few inches of the object, rather than for overall room security monitoring as with wave detectors. Penetration of this field changes the electrical capacitance of the field enough to generate an alarm.

Question 48

Q

List at least six potential abuses to operations security.

Answer

A

Fraud
Rejected transactions
Erroneous transaction entered and rejected
Violation of integrity rules
Interference with operations
Denial of service
Production delays
Conversion to personal use
Unauthorized access/disclosure
Audit trail/system log corruption

Question 49

Q

List at least five common operator privileges.

Answer

A

Perform initial program load
Start programs from console
Bypass label processing
Rename/relabel resources
Reset system
Set time and date
Reset passwords
Reassign ports and line

Question 50

Q

What does the term “accountability” refer to in the context of information systems security?

Answer

A

Accountability is a security principle that states that individuals must be able to be identified for their actions.

In other words, accountability is a property that ensures that the actions of an entity can be traced to that entity. With accountability, violations or attempted violations can be traced to individuals who can be held responsible for their actions. Audit trails and logs support accountability. Accountability cannot be achieved when a single user ID is shared by multiple persons.

Question 51

Q

Name at least three types of biometric controls you can use in conjunction with locks.

Answer

A

Fingerprint

Palm

Retina scans

Iris scans

Facial scans

You can use any type of biometric authentication in conjunction with a lock. Examples include but are not limited to fingerprint, palm, retina, iris, or facial scans. These controls all rely on unique physiological traits to recognize and identify individuals.

Question 52

Q

What is responsive area illumination?

Answer

A

Responsive area illumination takes place when an Intrusion Detection System (IDS) detects suspicious activities and turns on the lights within a specific area.

When responsive area illumination is plugged into automated IDS products, there is a high likelihood of false alarms. Instead of continuously having to dispatch a security guard to check out these issues, a CCTV camera can be installed to scan the area for intruders.17

Question 53

Q

It might be necessary while performing a risk analysis to calculate the annualized rate of occurrence (ARO). Define the ARO.

Answer

A

The annualized rate of occurrence (ARO) is the expected rate at which a threat is expected to occur.

The ARO is the value that represents the estimated frequency of a specific threat taking place within a one-year timeframe. When estimating the ARO, 0.0 represents never and 1.0 represents at least once a year. A value higher than 1.0 represents multiple occurrences in a single year. If a physical break-in is expected to occur once every 10 years, the ARO would be 0.1.

Question 54

Q

What items might be included in an audit trail?

Answer

A

An audit trail should include the following:

Date and time of the access attempt
Whether the attempt was successful
Where the access was granted (which door, for example)
Who attempted the access
Who modified the access privileges at the supervisor level

Question 55

Q

Describe a wave pattern motion detector.

Answer

A

Wave pattern motion detectors generate a frequency wave pattern and send an alarm if the pattern is disturbed as it is reflected back to its receiver.

These frequencies can be in the low, ultrasonic, or microwave range.20

Question 56

Q

Name at least four of the main natural disaster events that must be considered in a physical security plan.

Answer

A

Hurricanes and typhoons
Tidal waves
Floods
Earthquakes
Tornados
Fire

Hurricane and typhoons: Essentially sea-born storms. The effects on land include flooding, high winds, and tornadoes.

Tidal waves: A wave that overcomes sea walls and other protective measures to flood coastal areas.

Floods: The result of heavy rains or snow and ice melt where the ground cannot absorb the water.

Earthquakes: Caused by the movement of the earth along fault lines under the ground. Major structure damage can occur as the result of an earthquake.

Tornado: Violent storms where a rotating column of air forms and is capable of complete destruction of the ground buildings and infrastructures it encounters.

Fire: Can be caused by man (arson) or nature (lightning) and is responsible for more loss of property and life than the other natural threats.

Question 57

Q

How can you include video surveillance in a perimeter security plan?

Answer

A

Place cameras at the perimeter to capture vehicles or personnel entering the site through common ingress and egress paths. You can also place cameras in areas where guards or other personnel have limited visibility due to geographic features.

Question 58

Q

What are some of the main manmade events that must be considered in a physical security plan?

Answer

A

Criminal actions
Sabotage
Vandalism
War

Criminal actions include the theft of company data or the illegal use of company assets.

Sabotage is the surreptitious destruction of an asset with the intent of harming the organization’s mission.

Vandalism refers to the damage or destruction of an asset, typically with personal motivations.

War entails damage caused as the result of a political action that delivers kinetic effects against another entity.

Question 59

Q

Integrity is an important part of security, but it is commonly thought of as only protecting the data. Explain the importance of integrity in dealing with security.

Answer

A

Integrity refers to the state of the asset, and integrity means that there are no unauthorized changes, no matter what asset is discussed.

Assets could include:

Data
Network configurations
Physical hardware configurations

All types of assets need to have their integrity ensured. Data should not have any modifications made by unauthorized agents, but the same is true about other assets, too.

For example, no organization would want a network engineer changing system configurations without being approved or validated. This unauthorized action would threaten the integrity of the system’s configuration. Similarly, no organization would like someone to come in and change out the network cables that connect the systems to centralized switches.

Question 60

Q

Due care should be taken in handling sensitive media. What are different methods that need to be considered as part of sensitive data handling?

Answer

A

Logical and physical controls that would be employed in sensitive media handling include

Marking the media with appropriate labels
Limiting the access to only designated people
Storing in a secured place
Declassification and/or destruction of the media once it has been decided that it is no longer sensitive or required

Question 61

Q

In the context of information security, what is information classification and why is it important?

Answer

A

The information classification process categorizes information so that appropriate controls can protect information against unauthorized disclosure, according to the organization’s sensitivity to its loss, disclosure, or lack of availability.

Information classification is not limited to just information alone, but extends to all assets that must be protected depending on the required confidentiality, availability, and integrity levels of those assets. Management must define the classification levels that will be used in the organization.

Data owners must properly classify data, which ensures that proper protection measures are in place according to the data sensitivity policy. The data custodian is the technical person who implements the controls on behalf of the data owner.

Question 62

Q

Within the area of risk analysis, there are four basic goals. What are those goals?

Answer

A

Identify assets and their values
Identify vulnerabilities and threats
Quantify the probability and business impact of these potential threats
Provide an economic balance between the impact of the threat and the cost of the countermeasure

Asset valuation is required by both quantitative and qualitative processes. Determining the value of an asset is a fundamental step in risk assessment and must be carefully considered.

Qualitative risk assessment is scenario-driven and does not attempt to assign dollar values to components of the risk analysis. Absolute qualitative risk analysis is possible because it ranks the seriousness of threats and sensitivity of assets into grades or classes, such as low, medium, and high.

Quantitative risk assessment attempts to assign a numeric value (that is, dollar values) to the assessment of potential loss.

Provide an economic balance between the impact of the threat and the cost of the countermeasure: Safeguard selection is the process by which safeguards and countermeasures are researched and recommended.

Question 63

Q

How can you use motion detectors in a perimeter security plan?

Answer

A

Like the use of video cameras, motion detectors can provide coverage of areas not easily accessible by guards. Unlike cameras, a motion sensor will generate an alarm when motion is detected in the area of coverage.

Motion detectors come in three categories:

Wave pattern
Proximity and capacitance
Audio amplification

Question 64

Q

What does the term “authorization” refer to in the context of information systems security?

Answer

A

Authorization is the collection of access rights and permissions granted to a user, program, or process.

When an entity’s identity and authentication are established, authorization levels determine the extent of system rights that an entity can hold. Authorization is commonly not enforced to the necessary, granular level within organizations. The lack of detailed authorization commonly allows users too much access, which can lead to potentially devastating mistakes by the user or malicious activity.

Answer 65

A

Visibility
Local considerations
Susceptibility to natural disasters
Transportation
Joint use
Emergency services
Utilities

Visibility: What observation points exist to monitor the facility? These sites are important for the organization to control to provide complete visual coverage of the facility grounds, while denying the use of the same to potential adversaries.

Local considerations: What is the crime rate of the area? Is the facility in a high-traffic area?

Susceptibility to natural disasters: Does the site have any history of significant inclement weather (rains, snows, winds) or earthquakes?

Transportation: Is the facility in a high-traffic area? Is it near an airport?

Joint use: Do any other organizations have rights to an easement on the site?

Emergency services: Where are the nearest medical, fire, and police services?

Utilities: What are the types and availability of utilities?

Answer 66

A

Passive
Field powered
Transponder

A passive device, for example a picture ID, has no power requirement.

A field-powered card transmits a signal for identification and uses power on the card.

A transponder is a device that has the circuitry to respond to an interrogation that usually also provides power through radio waves to the card.

Common types of cards include the following:

(Type of Card — Description)
(Photo ID — Facial photograph)
(Optical-coded — Laser-burned lattice of digital dots)
(Electric circuit — Printed on the card)
(Magnetic stripe — Stripe of magnetic material)
(Magnetic strip — Rows of copper strips)
(Passive electronic — Electrically tuned circuitry read by)
(Active electronic — Badge transmitting encoded electronics)

Answer 67

A

Problems and errors are continuously being found in software packages. Addressing the identified flaws in packages is a critical part of security management.

Tracking the patches provided to the application is part of change control, which should go through a formal control process.

Normally a risk-based decision is taken before deciding to apply a patch to the identified vulnerabilities to control the cost of providing the patches. Also, the order of patches can sometimes affect the outcome of the update.

Answer 68

A

Halon has chemicals (chlorofluorocarbons) that deplete the ozone and that concentrations greater than 10 percent are dangerous to people.

Halon used on extremely hot fires degrades into toxic chemicals, which is even more dangerous to humans.

Answer 69

A

Power
Equipment
Physical security

As power outage, surge, spike, noise, etc., can damage computer systems, uninterrupted and regulated power is important for the system’s operation.

As too cold or too hot temperatures, as well as low or high humidity, can ruin the expensive equipment, environment control is critical.

To prevent unauthorized entry to the facility, physical security needs to be in place.

Answer 70

A

Wide angle lens
Small lense opening

The depth of field refers to the portion of the environment that is in focus when shown on the monitor. The depth of field varies depending upon the size of the lens opening, the distance of the object being focused on, and the focal length of the lens.

The depth of field increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items, it is best to use a wide-angle lens and a small lens opening.

Answer 71

A

A manual iris lens should be used in environments with fixed lighting
Environments with changing lighting call for an auto iris lens

Manual iris lenses have a ring around the CCTV lens that can be manually turned and controlled. A lens that has a manual iris would be used in an area that has fixed lighting, since the iris cannot self-adjust to changes of light.

An auto iris lens should be used in environments where the light changes, such as an outdoor setting. As the environment brightens, this is sensed by the iris, which automatically adjusts itself. Security personnel will configure the CCTV to have a specific fixed exposure value, which the iris is responsible for maintaining.

Answer 72

A

To address all the common problems that can arise during systems operations, a contingency plan needs to be in place.

A contingency plan identifies various types of anticipated threats and how to deal with them. The plan typically contains actions that need to be performed in response to various system components, power and environmental failures, data and voice communications failure, physical threats, production delays, and input/output errors in the systems.

Answer 73

A

Audit trails provide an accounting of all actions that occur at a facility.

Whether the audit trail accounts for system logins or entry to the facility, proper accounting allows for the re-creation of a sequence of events if an intrusion or emergency occurs.

Answer 74

A

Risk reduction
Risk transference
Risk acceptance
Risk rejection

Risk reduction: Implement a countermeasure to alter or reduce the risk.

Risk transference: Purchase insurance to transfer a portion or all the potential cost of a loss to a third party.

Risk acceptance: Deal with risk by accepting the potential cost and loss if the risk occurs.

Risk avoidance: Change the course of action so that risk does not exist anymore.

Answer 75

A

Performing risk analysis and identifying the most serious risks
Determining the authorization levels and requirements for various roles
Examining the geographical conditions of the facility
Determining physical security controls requirements
Addressing environmental requirements
Setting up a command center to monitor disasters and interruptions

Answer 76

A

Biometrics is a physical security technique that verifies an individual’s identity by analyzing unique physical attributes such as fingerprints, hand geometry, and signature dynamics.

A biometric system commonly identifies a user and a user-provided authentication component such as a password or PIN. When biometrics are used as a network control, they are commonly used with a username. In this case the username is the identification piece, and the biometric component is the authentication part.

Biometrics can fulfill either identification or authentication services. Authentication is the testing or reconciliation of evidence of a user’s identity. It verifies the user’s identity and ensures that the users are who they say they are.

Answer 77

A

Wet pipe
Dry pipe
Preaction
Deluge

Wet pipe systems always contain water in the pipes and are usually discharged by temperature control level sensors. One disadvantage of wet pipe systems is that the water in the pipes may freeze in colder climates. Also, if there is a nozzle or pipe break, it can cause extensive water damage. These types of systems are also called closed head systems.

In dry pipe systems, the water is not actually held in the pipes. The water is contained in a holding tank until it is released. The pipes hold pressurized air, which is reduced when a fire or smoke alarm is activated, allowing the water valve to be opened by the water pressure. Water is not allowed into the pipes that feed the sprinklers until an actual fire is detected. First, a heat or smoke sensor is activated; then the water fills the pipes leading to the sprinkler heads, the fire alarm sounds, the electric power supply is disconnected, and finally water is allowed to flow from the sprinklers. These pipes are the best choice for colder climates because the pipes will not freeze.

Preaction systems are similar to dry pipe systems in that the water is not held in the pipes but is released when the pressurized air within the pipes is reduced. Once this happens, the pipes are filled with water, but it is not released right away. A thermal-fusible link on the sprinkler head has to melt before the water is released. The purpose of combining these two techniques is to give people more time to respond to false alarms or to small fires that can be handled by other means. Putting out a small fire with a handheld extinguisher is better than losing a lot of electrical equipment to water damage. These systems are usually used only in data processing environments rather than the whole building, because of the higher cost of these types of systems.

A deluge system has its sprinkler heads wide open to allow a larger volume of water to be released in a shorter period. Because the water being released is in such large volumes, these systems are usually not used in data processing environments.

Answer 78

A

Dogs are a good form of detection and prevention; however, they have no ability to make decisions like that of a human guard.

Additionally, the predictability of guard dogs is somewhat in question. For instance, a golden retriever is more likely to play with the intruder rather than attack them. And a Yorkie is useless.

Answer 79

A

Several EPA-approved options exist for current Halon systems, including:

FM-200
NAF-S-III
CEA-410
FE-13
Water
Inergen
Argon
Argonite

Answer 80

A

Single loss expectancy (SLE) is the dollar figure assigned to a single event.

It represents an organization’s loss from a single occurrence of a threat. It is derived from the following formula:

SLE = asset value ($) / exposure factor (EF)

For example, an asset valued at $20,000 that is subjected to an exposure factor of 30 percent would yield an SLE of $6,000.

Answer 81

A

Data storage media is available in various capacities and sizes. Nowadays, many forms of media are highly portable. This portability is creating an opportunity for misuse of resources and data within the media.

Defining and rolling out organizational policies
Staff training
Prevention of unauthorized carrying of media
Limit access to backups and critical data to only authorized personnel
Access logging
Configuration management

Answer 82

A

An intrusion detection system (IDS) consists of monitors that track system activity against a preset criteria to identify any potentially unwanted intrusions in the system.

An IDS set at a workstation or server level is called a host-based IDS.

An IDS set for monitoring network traffic for any anomalies is called a network-based IDS.

There are other types of IDS systems that look for unauthorized sharing and access of files. IDS provides near real-time warnings that need to be monitored to take necessary actions against the reported events.

Answer 83

A

CPTED is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior.

CPTED provides guidance in loss and crime prevention through proper facility construction and environmental components and procedures.

The crux of CPTED is that the physical environment can be manipulated to create behavioral effects that will reduce crime and the fear of crime. It looks at the components that make up the relationship between humans and their environment.

Answer 84

A

Territorial reinforcement is a CPTED strategy that creates physical designs that emphasize or extend the company’s physical sphere of influence so legitimate users feel a sense of ownership of that space.

Territorial reinforcement can be implemented through the use of walls, fences, landscaping, light fixtures, flags, clearly marked addresses, and decorative sidewalks. The goal of territorial reinforcement is to create a sense of a dedicated community.

Answer 85

A

Knowing the physical and logical components, and the security controls around those components, does not give information about the vulnerabilities that exist within those components and controls. Only through vulnerability scanning can all the vulnerabilities be identified.

Vulnerabilities arise through absence of policies, errors, and omissions in configurations. Once the vulnerabilities are identified, risk around each of those vulnerabilities needs to be assessed to prioritize the actions that need to be taken.

Answer 86

A

Perimeter controls describe the devices and systems that control and observe access at the boundary of a site.

Examples of perimeter controls are:

Fencing
Closed-circuit video surveillance systems

Answer 87

A

Local
Central station
Proprietary
Auxiliary station

A local alarm system is designed to alert at the local facility only and should be audible for at least 400 feet.

A central station alarm notifies a central facility (guard room) of a possible intrusion.

A proprietary system is similar to a central station except that the devices might not be monitored at the local site.

An auxiliary alarm rings not only at the local facility, but also at another site (like a fire alarm).

Answer 88

A

Confidentiality
Integrity
Availability

All information security controls, safeguards, and security processes are subject to CIA principles. These three attributes of information represent the full spectrum of security concerns in an automated environment.

They are applicable for any organization irrespective of its philosophical outlook on sharing information.

Confidentiality: Making sure the information is accessible only to those authorized to have access to it.

Integrity: Safeguarding the accuracy and completeness of all information and processing methods.

Availability: Making sure that authorized users have access to information and associated assets when required

Answer 89

A

Audit results help the senior management of the organization be confident that all the required controls are in place.

Any gaps identified during the audit will be addressed by the senior management based on the threat level and other discretionary parameters, such as the risk acceptance level of the organization.

Answer 90

A

When used on software, hardware, and other assets (such as network components), configuration management helps the organization identify and track the updates and movements of its assets.

When proper configuration management is applied through inventories, necessary tracking and integrity can be achieved.

Inventories may track assets’ information such as serial number, model and make, location, configuration, and tracking numbers assigned within the organization. In order for configuration management to succeed, it is vital to update these parameters whenever there is any change in any of their values.

Answer 91

A

Natural access control is the use of the environment to control access to entry points, such as using landscaping and bollards.

An example of natural surveillance is the construction of pedestrian walkways so there is a clear line of sight of all the activities in the surroundings.

Answer 92

A

A fence 3 to 4 feet high will only deter casual trespassers.

Effective protection from a fence is directly proportionate to its height. While a fence 3 to 4 feet high will deter only casual trespassers, a fence 6 to 7 feet high is too tall to easily climb, and a fence 8 feet high or taller should deter a determined intruder.

Answer 93

A

Bollards are short posts used to prevent vehicular access and to protect a building or people walking on a sidewalk from vehicles.

Typically made of steel or concrete, bollards can also be used to direct foot traffic. Bollards can be static (like a barricade) or raise and lower to restrict traffic only when desired.

Answer 94

A

Owner,

Custodian

User

Owner: Must classify data that he is responsible for protecting. The owner has the final organizational responsibility of data protection, and under the concept of due care, the owner might be liable for negligence because of the failure to protect this data

Custodian: The custodian has day-to-day responsibility for protecting the data. The custodian implements and maintains the necessary security mechanisms to fulfill specific data classification levels. The data classification is by the data owner, not the data custodian

User: The end users are people who routinely use the information as part of their job. They can also be considered consumers of the data. The users are responsible for protecting the data at their level, but they do not classify the data or maintain the security mechanisms as the data owner and data custodian do. For example, the users do not define the data as confidential and also cannot share confidential information with unauthorized users.

Answer 95

A

The two common types of UPSs are

Online systems
Standby systems

An online system uses AC power to charge a bank of DC batteries. These batteries are held in reserve until power fails. At that time, a power inverter converts the DC voltage back to AC for the computer systems to use. These systems are good for short-term power outages.

Standby UPS devices stay inactive until a power line fails. The system has sensors that detect a power failure, and the load is switched to the battery pack. The switch to the battery pack is what causes the small delay in electricity being provided. So an online UPS picks up the load much more quickly than a standby UPS, but costs more, of course.

Answer 96

A

Administrative
Technical (or logical)
Physical Controls

Administrative controls include the developing and publishing of policies, standards, procedures, and guidelines; risk management; the screening of personnel; conducting security-awareness training; and implementing change control procedures.

Technical controls (also called logical controls) consist of implementing and maintaining access control mechanisms; password and resource management, identification and authentication methods; security devices; and the configuration of the infrastructure.

Physical controls entail controlling individual access into the facility and different departments; locking systems and removing unnecessary floppy or CD-ROM drives; protecting the perimeter of the facility; monitoring for intrusion; some types of security devices (for example, CCTV); and environmental controls.

Controls can be

Corrective
Detective
Preventive
Deterrent

Answer 97

A

Guards are:

Expensive
Require continual training
Are susceptible to be compromised
Might even steal company property

Guards can provide one of the best security measures; they act as both detectors and preventers. However, guards are human and suffer from the drawbacks listed in the answer field above.

The security guard should have clear and decisive tasks that she is expected to fulfill. The guard should be fully trained on the activities she is expected to perform and on the responses expected from her in various situations.

She should also have a central control point to check in to, two-way radios to ensure proper communication, and the necessary access into areas she is responsible for protecting.

Answer 98

A

Value
Age

Value is the number one commonly used criteria for classifying. If the information is valuable to an organization or its competitors, it needs to be highly protected.

As for age, the classification of the information may be lowered if the information’s value decreases over time.

In the Department of Defense (DoD), some classified documents are automatically declassified after a predetermined time period has passed.There are certainly other criteria points when determining classification levels of data; these are just two examples.

Answer 99

A

A threat is any potential danger to information or systems. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual, and a threat agent can be a person, a process, or a natural disaster.

A vulnerability is a flaw or weakness in the system that can be exploited to violate an AIC (availability, integrity, confidentiality) principle. Vulnerability is a software, hardware, or procedural weakness that might provide an attacker with the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.

The entity that takes advantage of vulnerability is a threat agent, which can be

An intruder accessing the network through a port on the firewall
A process accessing data in a way that violates the security policy
A tornado wiping out a facility
An employee making an unintentional mistake that could expose confidential information or destroy a file’s integrity

Vulnerability characterizes the absence or weakness of a safeguard that could be exploited. The vulnerability might be:

A service running on a server
Unpatched applications or operating system software
Unrestricted modem dial-in access
An open port on a firewall
Lax physical security that allows anyone to enter a server room
Unenforced password management on servers and workstations

Answer 100

A

RAID implementation type is defined by the number of disks used and the type of writing technique used.

RAID 0: Writes files in stripes across multiple disks without the use of parity information. This technique allows for fast reading and writing to disk.
RAID 1: This level duplicates all disk writes from one disk to another to create two identical drives. This technique is also known as data mirroring.
RAID 2: Data is spread across multiple disks at the bit level using this technique. Redundancy information is computed using a Hamming error correction code, which is the same technique used within hard drives and error-correcting memory modules.
RAID 3 and RAID 4: Data is striped across multiple disks in bytes for level 3 and blocks for level 4. Parity information is written to a dedicated disk. These levels provide redundancy and can tolerate the loss of any one drive in the array.
RAID 5: This level requires three or more drives to implement. Data and parity information is striped together across all drives. This level is the most popular and can tolerate the loss of any one drive.
RAID 6: This level extends the capabilities of RAID 5 by computing two sets of parity information. The dual parity distribution accommodates the failure of two drives.
RAID 10: This level is considered a multi-RAID level. It combines the characteristics of RAID 0 and RAID 1, which stripes data across mirrors. This level requires substantial storage capacity, but the benefits are excellent redundancy and overall performance.

RAID 5

Answer 101

A

Well-informed and trained management, technical staff, other employees, and end-users will be reminded of the vulnerabilities and threats that are out there and possible risk-mitigation actions that can be taken to protect the organization and its valuable assets.

By using a formalized process for security awareness training, management can establish a method that provides the organization with the best results for making sure security policies and procedures are presented to the right people in an organization. This way management can make sure everyone understands what a corporate security policy is, why having the security policy is important, and how it fits into the individual’s role in the organization.

Answer 102

A

The exposure factor (EF) represents the percentage of loss a realized threat can have on a certain asset.

So, for example, if a data warehouse has the asset value of $150,000, it might be estimated that if a fire were to occur, 25 percent of the warehouse would be damaged (and not more, because of a sprinkler system and other fire controls, proximity of a firehouse, and so on). In this case, the EF is 25 percent and the SLE (single loss expectancy) would be $37,500.

This figure is derived to be inserted into the ALE (annualized loss expectancy) equation.

Answer 103

A

Locks are considered delaying mechanisms because a person who is determined to get in can eventually disengage a lock in some manner if given enough time.

Locks are an effective security measure. They come in a variety of strengths, sizes, and locking mechanisms, including combination, key, and biometric. Visibility shields should be present on combination locks to prevent disclosure of the combination.

Answer 104

A

The HVAC system should

Maintain the appropriate temperature and humidity levels
Provide closed-loop recirculating air conditioning
Provide positive pressurization and ventilation

Answer 105

A

The annualized loss expectancy (ALE) is the annual expected loss due to a given threat.

Annualized loss expectancy (ALE) = single loss expectancy (SLE) / annualized rate of occurrence (ARO)

For example, a threat with a dollar value of $50,000 (SLE) that is expected to happen only once in 100 years (ARO of 0.01) will result in an ALE of $500.

Answer 106

A

Following are nine classifications of electrical power disruptions:

Fault
Blackout
Sag
Brownout
Spike
Surge
Inrush
Noise
Transient

A fault is a momentary power loss.

A blackout is a complete loss of power.

A sag is momentary low voltage.

A brownout is prolonged low voltage.

A spike is momentary high voltage.

A surge is prolonged high voltage.

Inrush is the initial surge of power when an electrical device is first turned on.

Noise is a steady, interfering disturbance.

Transient is a short duration of line noise disturbances.

Brainscape's Knowledge GenomeTM

Domain 7: Security Operations Flashcards

Brainscape's Knowledge Genome^TM