Domain 7 -- Security Operations Flashcards
(109 cards)
1
Q
Give a list of tasks that should be performed by the security admin, not the network admin.
A
- Implements and maintains security devices and SW
- Carries out security assessments
- Creates and maintains user profiles and implements and maintains access control mechanisms
- Configures and maintains security labels in mandatory access control (MAC) environments
- Manages password policies
- Reviews audit logs
2
Q
What kinds of questions do security admins need to ask themselves?
A
- Are users accessing information and peforming tasks that are not necessary for their job function?
- Are repetitive mistakes being made?
- Do too many users have rights and privileges to sensitive or restricted data or resources?
*
3
Q
What is a clipping level?
A
A clipping level is a baseline for violation activities before the activity is considered suspicious
IDS systems normally track activities and behavior patterns
4
Q
Locks are considered _________ devices to intruders.
A
delaying
5
Q
What type of lock is a basic padlock?
A
A ward lock.
It has a spring loaded with a notch cut in
6
Q
What kind of lock has more pieces than a ward lock?
A
A tumbler lock
7
Q
What are the three types of tumbler locks and what’s the difference between them?
A
- The pin tumbler lock is the most common
- Wafer tumbler lock – the round kind normally found in filing cabinets
- Does not afford much protection – easily circumvented
- Lever Tumbler lock
8
Q
What is a cipher lock?
A
A cipher lock is a programmable lock that are keyless and use keypads.
- Can require a card to be swiped or a combo to be entered
- More expensive, but more functionality
9
Q
What kinds of functionality is available on cipher locks?
A
- Door delay – alarm triggers if door is open for too long
- Key override – special combination can be enterred to over ride normal functions
- Master keying
- Hostage alarm
10
Q
What are two important things to remember to do with combination locks?
A
- Change the combination periodically
- use random combination sequences
11
Q
What are examples of device locks?
A
- Switch controls - cover on/off power switches
- Slot locks
- Port controls - blocks access to disk drives or unused serial or parallel ports
- Peripheral switch controls
- Cable traps (prevent removal of input/output devices by passing cables through a lockable unit
12
Q
What are the three grades of locks available?
A
- Grade 1 – Commercial and industrial light use
- Grade 2 – Heavy duty residential / light duty commercial
- Grade 3 – Residential consumer
13
Q
What are the three main categories of lock cylinders?
A
- Low security – No pick or drill resistance
- Medium security – some pick protection provided
- High security – pick resistance through many different mechanisms
14
Q
What are two techniques for circumventing tumbler locks and how do they work?
A
- Raking –
- Lock bumping
- Need a bump key to make it work
15
Q
Exam Tip
What are Electronic Access Control (EAC) tokens?
A
- Generic term to describe proximity authentication devices
- proximity readers
- programmable locks
- biomentric systems
16
Q
What are the goals of External Boundary Protection Mechanisms?
A
- Control pedestrian and vehicle traffic flow
- Various levels of protection for different security zones
- Buffers and delaying mechanisms to protect against forced entry attempts
- Limit and control entry points
17
Q
What controls can be used to provide external boundary protection?
A
- Access control mechanisms
- locks, keys, card systems, personnel awareness
- Physical barriers
- Fences, gates, walls, door windows, vents, vehicular barriers
- Intrusion detection
- Perimeter sensors, interior sensors, annunciation mechanisms
- Response
- Guards, local law enforcement
- Deterrents
- Signs, lighting, environmental design
18
Q
Talk to me about fence height.
A
- 3-4 feet high only deter casual trespassers
- 6-7 feet high are considered too high to climb easily
- 8 feet high means that you are serious about protecting your property
19
Q
What is PIDAS Fencing?
A
It stands for Perimeter Intrusion Detectionand Assessment System (PIDAS)
- has sensors
- Can detect if a person attempts to climb or cut fence
20
Q
What is meant by glare protection for the security force?
A
It means that bright lights should be pointed towards the things that the guards have to observe (like gates) so that the security team is not fighting the light to do their job
21
Q
What is standby lighting
A
It is lighting that can be configured to turn on or off at various times to give the appearance that faicilities are occupied.
22
Q
What is an annunciator system?
A
They are products that can “listen” for noise or watch CCTV cameras or detect movement.
It makes it so the security guard doesn’t have to stare at a camera for 8 hours per day.
23
Q
What are the sorts of things that physical IDS can trigger on?
A
- Beams of light
- Sounds and vibrations
- Motion
- Different kinds of fields
- microwave, ultrasonic, electrostatic
- Electrical circuit
24
Q
What are some of the most important things to keep in mind regarding Intrusion Detection systems?
A
- They are expensive and require human intervention
- Require redundanct power and emergency power backup
- They can be linked to a centralized security system
- They should have a failsafe configuration, which defaults to activiated
- They should detect and be resistant to tampering
25
Exam Tip:
Because the use of guard dogs introduces significant risks to human safety, exam answers that include dogs are likely to be \_\_\_\_\_\_\_\_\_\_\_.
incorrect
26
Audit and access logs are \_\_\_\_\_\_\_\_\_\_\_\_\_\_, not preventative.
detective
27
What are examples of internal physical security controls?
* Work area separation
* Personnel badges that must be worn in the building
* Roving guards that look for violations and unauthorized personnel
28
What's the definition of provisioning for the CISSP exam?
* the set of all activities required to provide one or more new information services to a user or group of users.
* Provisioning must be done securely
29
What's the best way to track hardware to know that you've got everything you're supposed to be tracking?
Get monitorying software that detects devices on the network.
30
What are the key things to do in order to track software properly?
* Application whitelisting
* Using gold masters
* Enforcing the principle of least privilege
* Automated scanning
31
What is the Asset Management Cycle?
* Business Case
* Acquisition
* Operation and Maintenance (O&M)
* Retirement
32
What is configuration management as it relates to the CISSP exam?
Configuration managementis the process of establishing and maintaining consistent baselines on all of our systems
33
What's the difference between Change Management and Configuration Management?
Change management is a business process.
* concerned with changing features of system being developed
* IT and security people are not usually in charge of change management (though they are involved in it)
Configuration management is an operational process
* Example is how to configure software
* Information security usually leads in configuration management
34
What are the steps in the Change Control Process?
* Request for a change to take place
* Approval of the change
* Documentation of the change
* Tested and presented
* Implementation
* Report Change to management
35
What's the difference between:
* System reboot
* Emergency system restart
* System cold start
* System reboot -- takes place after the system shuts itself down in a controlled manner in response to a kernel failure
* Emergency system restart -- takes place after a system failure happends in an uncontrolled manner
* System Cold Start -- takes place when an unexpected kernel or media failure happends and the regular recovery procedure cannot recover the system to a more consistent state
36
What are the three steps to take after a system crash?
1. Enter into single user or safe mode
2. Fix issue and recover files
3. Validate critical files and operations
37
Name 4 things you should do while recovering a system
* Protect the boot sequence (C:, A:, D:) -- make sure that a hacker can't get the system to boot from a drive that you don't want it to boot from
* Do not allow bypassing of writing actions to system logs
* Do not allow system forced shutdowns -- only admins should have the ability to shut systems down.
* Do not allow outputs to be rerouted
38
What are steps that should be part of any Change Control Policy?
* Request for a Change to take place
* Approval of the change
* Documentation of the Change
* Tested and Presented
* Implementation
* Report Change to management
39
What is a critical element of any change plan?
A backout plan
40
What's the difference between:
* System reboot
* Emergency system restart
* System cold start
* System Reboot - Takes place after the system has shut itself down in a controlled manner in response to a kernel failure
* Emergency system restart- takes place after a system failure happens in an uncontrolled manner
* System Cold Start takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state
41
What are some key guidelines for remote systems administration?
* Require a VPN connection protected with 2-factor authentication
* Commands and data should not take place in cleartext
* Strong authentication should be in place for any administrative activities
* Truly critical systems should be administered locally, rather than remotely
* Only a small number of administrators should be able to carry out remote functionality
42
What's the difference between MTBF and MTTF?
* MTBF - Mean Time Between Failures assumes that a device is repairable
* MTTF -- Mean Time to Failure -- means that the device is not repairable
43
What does MAID stand for?
Massive Array of Inactive Disks
Similar idea to RAID, but with the intent to replace tape drives / tape libraries.
Disks spin up and are powered on only when needed.
44
What does MSSP stand for?
Managed Security Services Provider
45
What considerations should you consider before hiring an MSSP?
* Requirements
* Understanding
* Reputation
* Costing
* Liability
46
What's the difference between an event and an incident?
* An event is something that happened
* An incident is a negative thing that happened
* An incidednt is a type of event
47
What are three types of Incident response teams?
* A virtual team. These are experts who have other duties, assighments, but who will be part of the incident response team in a crisis
* A permanent team -- People who are dedicated strictly to incident response
* A hybrid team -- hybrid of virtual and permanent.
48
What are the basic items that an incident response team should have available?
* A list of outside agencies and resources to contact or report to
* An outline of roles and responsibilities
* A call tree to contact these roles and outside entities
* A list of computer or forensic experts to contact
* A list of steps to take to secure and preserve evidence
* A list of items that should be included in a report for management and potentially the courts
* A description of how the different systems should be treated in this type of situation
49
What is CERT and how can you take advantage of it?
CERT stands for Computer Emergency Response Team
* CERT is an organization that is responsible for monitoring and advising users and companies about security preparation and security breaches.
* Members of a company's incident response team should get on the mailing list to keep apprised of new issues and so they can spot malicious events
50
What are the seven steps of the Cyber Kill Chain?
1. Reconnaissance
2. Weaponization
3. Delivery (95% of the time via email with a link to a malicious website)
4. Exploitation (attacker's software is running in your organization)
5. Installation. Malicious software is usally delivered in stages
6. Command and Control -- Most malware will phone home to let attackers know that the attack was successful
7. Actions on the Objective
As security professionals, we want to kill the attack as early as possible.
51
What information should be reported for each security incident?
* Summary of incident
* Indicators
* Related incidents
* Actions taken
* Chain of custody of all evidence (if applicable)
* Impact assessment
* Identity and comments of incident handlers
* Next steps to be taken
52
What are the key steps in Incident Response?
* Detection
* Response
* Mitigation
* Reporting
* Recovery
* Remediation -- permanent solution to make sure it never happens again
53
What is an IOC and IOA and give examples?
IOC stands for Indicator of Compromise
IOA stands for Indicator of Attack
Indicators of both:
* Outbound traffic to a particular IP address or domain name
* Abnormal DNS query patterns
* Unusually large HTTP requests and/or responses
* DDos traffic
* New Registry entries (in Windows systems)
54
What questions should be asked to ensure that the organization learns from the incidents it encounters?
* What happened?
* What did we learn?
* How can we do better next time?
55
What are key considerations re whether to bring law enforcement in regarding a security breach?
* Law enforcement agencies are good at investigation
* Company could lose control over where the investigation goes
* Secrecy of compromise is not promised. Could be part of public record
* Effects of reputation must be considered
* Evidence will be collected and may not be available for a long period of time. It may take a year or more to get it to court
56
What is teh SWGDE and what are its principles?
It's an organization that aims to ensure consistency across the forensics community. Principles:
1. When dealing wtih Digital evidence, all of the general forensic and procedural principles must be applied.
2. Upon the seizing of digital evidence, actions taken should not change that evidence
3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose
4. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review.
5. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
6. Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
57
What does MOM stand for with respect to computer crime?
Motive, Opportunity, Means
58
Motive is the _____ and ______ of a crime.
who and why
59
What are the four different types of assessments Incident Investigators can do?
* Network Analysis
* Media Analysis
* Software analysis
* Hardware/embedded device analysis
60
What are the four types of Incident Investigations and how are they different?
* Administrative -- focused on policy violations (least impactful)
* Criminal -- if we think that a crime may have been committed, then we need to preserve evidence and engage Law enforcement agencies (LEA's)
* Civil -- similar to legal, but law enforcement won't be involved (just lawyers on both sides). Standard of proof is much lower for civil cases
* Regulatory -- a regulatory investigation is initiated by a government regulator when there is reason to believe that an orginzation is not in compliance with applicable laws.
* Company's responsibility is to preserve evidence adn assist regulators as appropriate
61
What are the key steps in the Forensic Investigation Process
* Identification
* Preservation
* Collection
* Examination
* Analysis
* Presentation
* Decision
62
What are the key principles to keep in mind regarding the crime scene?
* Only allow authorized individuals onto the crime scene
* Document who is at the crime scene
* Document who the last individuals were to interact with the systems
* If the crime scene becomes contaminated, document it
63
To prove the integrity of the evidence, it is important to create an _________ \_\_\_\_\_\_\_\_\_\_\_ of the evidence
Message digest
64
What are some of the key tools in a forensics toolkit?
* Documentation Tools
* Disassembly and removal tools
* Package and transport supplies
65
What is a very important concept in evidence handling?
Chain of custody
66
What are the four steps in the lifecycle of evidence?
* Collection and identification
* Storage, preservation and transportation
* Presentation in Court
* Return of evidence to the victim or owner
67
Which amendment of the US Constitution protects Americans against unlawful search and seizure?
The Fourth Amendment
68
What's the difference between enticement and entrapment?
* Enticement is legal as usally done. Honeypots are enticement
* Entrapment would be if a user clicked on an ad and was taken to a honeypot which then recorded all of the suspected hackers actions
69
What does WRT stand for in the context of Disaster Recovery?
WRT is Work Recovery Time
70
What does MTD stand for in the context of Disaster Recovery?
Maximum Tolerable Downtime
71
What's the difference between:
* Nondisaster
* Disaster
* Catastrophe
* Nondisaster is a significant disruption in service, but is limited
* A disaster is an event that causes an entire facility to be unusable for a day or longer
* A catastrophe is a major disruption that destroys the facility altogether
72
What's a hot site?
* A facility that is leased or rented and is fully configured and ready to operate within a few hours
* The only missing resource is the data
73
What is a warm site?
* A warm site is a leased or rented facility that is partially configured with some equipment, such as HVAC and foundational infrastructure components, but not actual computers
* Drawback is that you have to procure the equipment and then set it up.
74
What is a cold site?
* A cold site is a leased or rented facility that supplies the basic environment, electrical wiring, AC, plumbing and flooring, but non of the equipment or additional services
* It could take weeks to get the site activated and ready to work.
* Least expensive option, but the most time consuming after the disaster
75
What is a tertiary site?
* If there's a danger of the main backup facility not being available, a tertiary site could be considered.
* Plan B if Plan A does not work out.
76
What is a reciprocal agreement?
* Company A allows Company B to use its facilities in the event of a disaster and vice versa
* Not always the greatest idea. Lots of downsides
* Security, operational, will it even work?
77
How far away should the backup facility be for DR?
* Bare minimum 5 miles
* 15miles for low to medium critical environments
* 50 - 200 miles for critical operations and to protect against regional disasters
78
What is a mutual aid agreement?
* It's like a reciprocal agreement, except it has more than 2 parties.
* Even more complicated than reciprocal agreements
79
What's a redundant site?
* There is a second site that is equipped and configured just like the primary site.
* It is owned by the company
* It is a mirror of the main site
* It is different from a hot site because a hot site is a subscription service, whereas a redundant site is owned by the company
80
What's a rolling hot site?
* Large truck or trailer that can be transported easily to a location. Loaded with equipment
* aka mobile site
81
What is a software escrow agreement?
* A third party holds the source code, backups of compiled code, manuals and other supporting materials
* Gives customer access to source code only if and when the vendor goes out of business, is unable to carry out its responsibilites or is in breach of the contract
82
What's the difference between a differential backup and an incremental backup?
* Differential backup is a backup of everthing since the last full backup
* Incremental backup is a backup of everything since the last full or incremental backup.
* Disadvantage is that if you need to recover you need to get the last full backup, plus every intervening incremental backup.
83
What is electronic vaulting?
* Electronic vaulting is making copies of files as they are modified and periodically transmits them to an offsite backup site.
* Does not happen in real-time, but is carried out in batches
84
What is remote journaling?
* Moving the journal (aka transaction logs) to a remote site, rather than the actual files
* Used for database recovery, where the trans can be replayed.
* Exam tip -- remote journaling takes place in real-time and transmits only file delta's . By comparison, electronic vaulting takes place in batches and moves the entire file that has been updated.
85
What is electronic tape vaulting?
Electronic tape vaulting transmits data over a network to tape devices located in the alternate data center.
86
What is an important part of DR that is dreaded by most people?
Documentation
87
What is proximate cause?
Proximate cause is an act or omission that naturally and directly produces a consequence.
88
What should be considered to fill the gap between preventive countermeasures and the unexpected?
Insurance
Cyber insurance to protect against DOS attachks, malware damages, electronic theft, privacy lawsuits, etc.
Businesness interruption insurance if the company is out of business for a certain amount of time.
89
What are some of the key teams needed for a DR plan?
* Damage assessment team
* Recovery team
* Relocation team
* Restoration team
* Salvage team
* Security team
90
What does the DR assessment team do?
* Determine the cause of the disaster
* Determine the potential for further damage
* Identify affected business functions and areas
* Identify the level of functionality for the critical resources
* Identify the resources that must be replaced immediately
* Estimate how long it will take to bring critical functions back on line
* If it will take longer than the estimated MTD, then a disaster should be declared and the BCP should be put into action
91
In a disaster, what is the top priority?
Human safety
92
What are the four requirements for evidence to be admissible in court?
1. Relevant
2. Complete
3. Sufficient
4. Reliable
93
An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organization?
No access
94
What is a primary benefit of job rotation and separation of duties policies?
Preventing fraud
95
Which of the following can be an effective method of configuration management using a baseline?
Using images
96
Which of the following is the best response after detecting and verifying an incident?
Containment is the first step after detecting and verifying an incident. This limits the effect or scope of an incident. Organizations report the incident based on policies and governing laws, but this is not the first step.
97
Which of the following would security personnel do during the remediation stage of an incident response?
Security personnel perform a root cause analysis during the remediation stage. A root cause analysis attempts to discover the source of the problem.
98
Of the following choices, what is the best form of anti-malware protection?
Anti-malware protection at several locations
A multipronged approach provides the best solution. This involves having antimalware software at several locations, such as at the boundary between the internet and the internal network, at email servers, and on each system. More than one antimalware application on a single system isn’t recommended. A single solution for the whole organization is often ineffective because malware can get into the network in more than one way. Content filtering at border gateways (boundary between the internet and the internal network) is a good partial solution, but it won’t catch malware brought in through other methods.
99
What can be used to reduce the amount of logged or audited data using nonstatistical methods?
Clipping levels
Clipping is a form of nonstatistical sampling that reduces the amount of logged data based on a clipping-level threshold. Sampling is a statistical method that extracts meaningful data from audit logs.
100
What is the end goal of disaster recovery planning?
Restoring normal business activity
Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off.
101
According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a moderate risk of seismic activity?
80 percent
Forty-one of the 50 U.S. states are considered to have a moderate, high, or very high risk of seismic activity. This rounds to 80 percent to provide the value given in option D.
102
What is the typical time estimate to activate a warm site from the time a disaster is declared?
12 hours
103
What is the main purpose of a military and intelligence attack?
To obtain secret and restricted information from military or law enforcement sources
A military and intelligence attack is targeted at the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.
104
What's the main goal of a financial attack?
A financial attack focuses primarily on obtaining services and funds illegally.
105
What's the goal of a grudge attack?
Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to “get back” at someone.
106
What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.)
* Bragging rights
* Pride of conquering a secure system
Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).
107
According to the (ISC)2 Code of Ethics, how are CISSPs expected to act?
1. Honorably,
2. honestly,
3. justly,
4. responsibly
5. legally
108
Which of the following actions are considered unacceptable and unethical according to RFC 1087, “Ethics and the Internet”?
Only “actions that compromise the privacy of users” are explicitly identified in RFC 1087.
109
