Operations Security Flashcards

1
Q

Define clipping level

A

define a baseline for normal user activity or an acceptable level of errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

For what 4 purposes can audit trails be used in operations security

A

to monitor problems
provide individual accountability with records of who took which activities and when
to detect possible system intrusions
to reconstruct events to support investigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What type of control provides replacement mechanisms for if primary controls are lost?

A

Compensating control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What type of control is designed to stop users from violating security?

A

preventative control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of control can restore a system to its normal operating state after a fault or incident occurs

A

Recovery control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What type of control details procedures and guidelines for protecting security?

A

directive control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

4 items involved with maintaining operations security

A

maintaining operational resilience
protecting valuable assets
controlling system accounts
managing security services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

7 types of controls

A
directive
preventative
deterrent
compensating
detective
corrective
recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

define directive controls

A

state rules of acceptable behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

define preventative controls

A

designed to prevent any actions that violate a company’s security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

define deterrent controls

A

discourage individuals from violating security directives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

define compensating controls

A

serve to provide replacement for the loss of primary controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

define detective controls

A

identify and warn of incidents of security control breaches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

define corrective controls

A

used to remedy circumstances, mitigate damage, and restore controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

define recovery controls

A

restore a system to its normal operating state after a security incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

4 categories of controls

A

hardware
software
operations
media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

6 steps in change management

A
submit change request
approve the change
document the change
test the change
implement the change
report the change
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

4 uses for audit trails

A

monitor problems
detect intrusions
ensure individual accountability
reconstruct events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What port does SMTP use?

A

25

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What port does POP3 use?

A

110

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

define email relaying

A

involves transferring email messages from 1 mail server to another. Can be used to hide identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

define smtp relaying

A

sending email messages from one server to another using smtp. Can be used to hide identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What ports does FTP use?

A

20

21

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define Evasive Sweep

A

attempt to bypass firewall and IDS without leaving a trace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

2 types of stealth scans

A

SYN scan

FIN scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

4 types of admin controls to improve security

A

separation of duties
rotation of duties
least privileges
mandatory vacations

27
Q

In the event of a security incident, one of the primary objectives of the operations staff is to ensure that
A. the attackers are detected and stopped
B. there is minimal disruption to the organization’s mission
C. appropriate documentation about the event is maintained as chain of evidence
D. the affected systems are immediately shut off to limit the impact

A

B. there is minimal disruption to the organization’s mission

28
Q
Assuming a working IDS is in place, which of the following groups is best capable of stealing sensitive information due to the absence of system auditing?
A. malicious software
B. hacker or cracker
C. disgruntled employee
D. auditors
A

C. disgruntled employee

29
Q
Which of the following provides controlled and un-intercepted interfaces into privileged user functions?
A. ring protection
B. anti-malware
C. maintenance hooks
D. trusted paths
A

D. trusted paths

30
Q
The doors of a data center spring open in the event of a fire.  This is an example of 
A. fail-safe
B. fail secure
C. fail proof
D. fail closed
A

A. fail-safe

31
Q
Which of the following ensures constant redundancy and fault tolerance?
A. cold spare
B. warm spare
C. hot spare
D. archives
A

C. hot spare

32
Q
If speed is preferred over resilience, which of the following RAID configurations is the best choice?
A. raid 0
B. raid 1
C. raid 5
D. raid 10
A

A. raid 0

33
Q
Updating records in multiple locations or copying an entire database to a remote location as a means to ensure the appropriate levels of fault tolerance and redundancy is know as 
A. data mirroring
B. shadowing
C. backup
D. archiving
A

B. shadowing

34
Q

When the backup window is not long enough to backup all of the data and the restoration of backup must be as fast as possible, which of the following types of high availability backup strategies is best?
A. full
B. incremental
C. differential
D. increase the backup window so a full backup can be performed.

A

C. differential

35
Q
At a restricted facility, visitors are requested to provide identification and verified against a pre-approved list by the guard at the front gate before being let in.  This is an example of checking for:
A. least privilege
B. separation of duties
C. fail safe
D. psychological acceptability
A

A. least privilege

36
Q

The major benefit of information classification is to
A. map out the computing ecosystem
B. identify the threats and vulnerabilities
C. determine the software baseline
D. identify the appropriate level of protection needs

A

D. identify the appropriate level of protection needs

37
Q
When sensitive information is no longer critical but still within scope of a record retention policy, that information is best
A. destroyed
B. re-categorized
C. degaussed
D. released
A

B. re-categorized

38
Q
The main benefit of placing users into groups and roles is
A. ease of user administration
B. increased security
C. ease of programmatic access
D. increased automation
A

A. ease of user administration

39
Q
Which of the following best determines the suitability of an individual?
A. job rank or title
B. partnership with the security team
C. role
D. background investigation
A

D. background investigation

40
Q
Reports must be specific on both the message and which of the following?
A. intended audience
B. delivery options
C. colors used
D. print layout
A

A. intended audience

41
Q
Which of the following can help with ensuring that only the needed logs are collected for monitoring?
A. clipping level
B. aggregation
C. xml parsing
D. inference
A

A. clipping level

42
Q
The main difference between a security event information management system and a log management system is that SEIM systems are useful for log collection, collation, and analysis
A. in real time
B. for historical purposes
C. for admissibility in court
D. in discerning patterns
A

A. in real time

43
Q
When normal traffic is flagged as an attack, it is an example of 
A. fail safe
B. fail secure
C. false negative
D. false positive
A

D. false positive

44
Q
The best way to ensure that there is no data remanence of sensitive information that was once stored on a DVD-R media is by 
A. deletion
B. degaussing
C. destruction
D. overwriting
A

C. destruction

45
Q
Which of the following processes is concerned with not only identifying the root cause but also addressing the underlying issue?
A. incident management
B. problem management
C. change management
D. configuration management
A

B. problem management

46
Q

Before applying a software update to production systems, it is most important that
A. full disclosure information about the threat that the patch addresses is available
B. the patching process is documented
C. the production systems are backed up
D. an independent third party attests to the validity of the patch

A

C. the production systems are backed up

47
Q
Which of the following is not a common component of configuration management change control steps?
A. Tested and presented
B. Service level agreement approval
C. Report change to management
D. Approval of the change
A

B. Service level agreement approval

48
Q

A change management process should include a number of procedures. Which of the following incorrectly describes a characteristic or component of a change control policy?
A. Changes that are unanimously approved by the change control committee must be tested to uncover any unforseen results.
B. Changes approved by the change control committee should be entered into a change log
C. A schedule that outlines the projected phases of the change should be developed
D. An individual or group should be responsible for approving proposed changes.

A

A. Changes that are unanimously approved by the change control committee must be tested to uncover any unforseen results.

49
Q

The requirement of erasure is the end of the media life cycle if it contains sensitive information. Which of the following best describes purging?
A. Changing the polarization of the atoms on the media.
B. It is acceptable when media are to be reused in the same physical environment for the same purpose.
C. Data formerly on the media is made unrecoverable by overwriting it with a pattern.
D. Information is made unrecoverable, even with extraordinary effort.

A

D. Information is made unrecoverable, even with extraordinary effort.

50
Q

Device backup and other availability solutions are chosen to balance the value of having information available against the cost of keeping that information available. Which of the following best describes fault-tolerant technologies?
A. They are among the most expensive solutions and are usually only for the most mission critical information.
B. They help service providers identify appropriate availability services for the specific customer.
C. They are required to maintain integrity, regardless of the other technologies in place.
D. They allow a failed component to be replaced while the system continues to run.

A

A. They are among the most expensive solutions and are usually only for the most mission critical information.

51
Q
Which of the following refers to the amount of time it will be expected to take to get a device fixed and back into production?
A. SLA
B. MTTR
C. Hot Swap
D. MTBF
A

B. MTTR

Mean Time to Repair

52
Q

Which of the following correctly describes Direct Access and Sequential Access storage devices?
A. Any point on a direct access storage device may be promptly reached, whereas every point in between the current position and the desired position of a sequential access storage device must be traversed in order to reach the desired position.
B. RAIT is an example of a direct access storage device while raid is an example of sequential access storage
C. MAID is a direct access storage while raid is an example of a sequential access storage device
D. As an example of sequential access storage, tape drives are faster than direct access storage

A

A. Any point on a direct access storage device may be promptly reached, whereas every point in between the current position and the desired position of a sequential access storage device must be traversed in order to reach the desired position.

53
Q
There are classifications for operating system failures.  Which of the following refers to what takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state, requiring an administrator to intervene.
A. Emergency system restart
B. Trusted recovery
C. system cold start
D. system reboot
A

C. system cold start

54
Q
Various levels of RAID dictate the type of activity that will take place within the RAID system.  Which level is associated with byte-level parity?
A. RAID level 0
B. RAID level 3
C. RAID level 5
D. RAID level 10
A

B. RAID level 3

55
Q

Which of the following incorrectly describes IP spoofing and session hijacking?
A. Address spoofing helps an attacker to hijack sessions between two users without being noticed.
B. IP spoofing makes it harder to track
C. Session hijacking can be prevented with mutual authentication.
D. IP spoofing is used to hijack SSL and IPSec secure communications.

A

D. IP spoofing is used to hijack SSL and IPSec secure communications.

56
Q
RAID systems use a number of techniques to provide redundancy and performance.  Which of the following activities divides and writes data over several drives?
A. Parity
B. Mirroring
C. Striping
D. Hot swapping.
A

C. Striping

57
Q

What is the difference between hierarchical storage management and storage area network technologies?
A. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.
B. HSM and SAN are one and the same. The difference is implementation.
C. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage
D. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage.

A

C. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage

58
Q
What type of exploited vulnerability allows more input than the program has allocated space to store it?
A. symbolic links
B. file descriptors
C. kernel flaws
D. Buffer overflow
A

D. Buffer overflow

59
Q

There are often scenarios where the IT staff must react to emergencies and quickly apply fixes or change configurations. When dealing with such emergencies, which of the following is the best approach to making changes?
A. Review the changes within 48hrs
B. Review and document the emergency changes after the incident is over
C. Activity should not take place in this manner
D. Formally submit the change to a change control committee an follow the complete change control process.

A

C. Activity should not take place in this manner

60
Q
Organizations should keep system documentation on hand to ensure that the system is properly cared for, that changes are controlled, and that the organization knows what's on the system.  What does not need to be in this type of documentation?
A. Funcationality
B. changes
C. Volume of transactions
D. identity of system owner
A

C. Volume of transactions

61
Q

Fred is a new security officer who wants to implement a control for detecting and preventing users who attempt to exceed their authority by misusing the access rights that have been assigned to them. Which of the following best fits this need?
A. Management review
B. two factor identification and authentication
C. capturing this data in audit logs
D. Implementation of a strong security policy

A

A. Management review

62
Q

Which of the following is the best way to reduce brute force attacks that allow intruders to uncover users’ passwords?
A. Increase the clipping
B. Lock out an account for a certain amount of time after the clipping level is reached.
C. After a threshold of failed login attempts is met, the administrator must physically lock out the account.
D. Choose a weaker algorithm that encrypts the password file.

A

B. Lock out an account for a certain amount of time after the clipping level is reached.

63
Q
Brandy couldn't figure out how Sam gained unauthorized access to her system, since he has little computer experience.  Which of the following is the most likely attack Sam used?
A. Dictionary attack
B. shoulder surfing attack
C. Covert channel attack
D. Timing attack
A

B. shoulder surfing attack

64
Q

The relay agent on a mail server plays a role in spam prevention. Which of the following incorrectly describes mail relays?
A. Antispam features on mail servers are actually antirelaying features
B. Relays should be configured wide open to receive any email message
C. Relay agents are used to send message from one mail server to another
D. If a relay is configured wide open, the mail server can be used to send spam.

A

B. Relays should be configured wide open to receive any email message