Security Operations Flashcards
Which of the following activities is not considered a valid form of penetration testing? A) Denial-of-service attacks B) Port scanning C) Distribution of malicious code D) Packet sniffing
Distribution of malicious code
Distribution of malicious code will almost always result in damage or loss of assets and is not used in a penetration test. However, denial-of-service attacks, port scanning, and packet sniffing may all be included in a penetration test.
Of the following choices, what is the best form of antivirus protection?
A) Multiple solutions on each system
B) A single solution throughout the organization
C) Antivirus protection at several locations
D) One hundred percent content filtering at all border gateways
Antivirus protection at several locations
A multipronged approach provides the best solution. This involves having antivirus software at several locations, such as at the boundary between the Internet and the internal network, at email servers, and on each system. More than one antivirus application on a single system isn’t recommended. A single solution for the whole organization is often ineffective because malware can get into the network in more than one way. Content filtering at border gateways (the boundary between the Internet and the internal network) is a good partial solution, but it won’t catch malware brought in through other methods.
You need to ensure a service provided by a server will continue even if the server fails. What should you use? A) Clustering B) A RAID array C) Hot site D) UPS
Clustering
Failover clustering uses two or more servers and will ensure that a service will continue even if a server fails. A redundant array of independent disks (RAID) allows a disk subsystem to continue to operate even if a disk fails. A hot site is an alternative location maintained in a ready state that can be used if the primary location suffers a serious outage. An uninterruptible power supply (UPS) provides short-term power for a system if the primary power source is lost.
What would an administrator use to check systems for known issues that attackers may use to exploit the systems? A) Versioning tracker B) Vulnerability scanner C) Security audit D) Security review
Vulnerability scanner
Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn’t directly check systems for vulnerabilities.
Audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclic redundancy checks (CRCs) are examples of what? A) Directive controls B) Preventive controls C) Detective controls D) Corrective controls
Detective controls
Examples of detective controls are audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and CRCs.
Which operation is performed on media so it can be reused in a less-secure environment? A) Erasing B) Clearing C) Purging D) Overwriting
Purging
Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be used in less-secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.
Auditing is a required factor to sustain and enforce what? A) Accountability B) Confidentiality C) Accessibility D) Redundancy
Accountability
Auditing is a required factor to sustain and enforce accountability.
Which of the following would be completed during the remediation and review stage of an incident response? A) Contain the incident B) Collect evidence C) Rebuild system D) Root cause analysis
Root cause analysis
An incident is examined during the remediation and review stage. A root cause analysis is generated in an attempt to discover the source of the problem. After the cause is discovered, the review will often identify a solution to help prevent a similar occurrence in the future. Containing the incident and collecting evidence is done early in the incident response process. Rebuilding a system may be needed during the recovery stage.
What should be done as soon as an incident has been detected and verified? A) Contain it B) Report it C) Remediate it D) Gather evidence
Contain it
Containment should be the first step when an incident has been detected and verified to limit the effect or scope of an incident. It should be reported based on an organization’s policies and governing laws, but this is not the first step. Remediation attempts to identify the cause of the incident and steps that can be taken to prevent a reoccurrence, but this is the last step, not the first. It is important to protect evidence while trying to contain an incident, but gathering the evidence will occur after containment.
Which of the following is true for a host-based intrusion detection system (HIDS)?
A) It monitors an entire network.
B) It monitors a single system.
C) It’s invisible to attackers and authorized users.
D) It cannot detect malicious code.
It monitors a single system.
An HIDS monitors a single system looking for abnormal activity. A network-based IDS (NIDS) watches for abnormal activity on a network. An HIDS is normally visible as a running process on a system and provides alerts to authorized users. An HIDS can detect malicious code similar to how antivirus software can detect malicious code.
Of the following choices, what is a primary goal of change management?
A) Personnel safety
B) Allowing rollback of changes
C) Ensuring that changes do not reduce security
D) Auditing privilege access
Ensuring that changes do not reduce security
The goal of change management is to ensure that any change does not lead to unintended outages or reduce security. Change management doesn’t affect personnel safety. A change management plan will commonly include a rollback plan, but that isn’t a specific goal of the program. Change management doesn’t perform any type of auditing.
Which of the following requires that archives of audit logs be kept for long periods of time? A) Data remanence B) Record retention C) Data diddling D) Data mining
Record retention
Record retention policies define the amount of time to keep any data, including logs. Data remanence is data that remains on media after it has supposedly been removed. Data diddling refers to the modification of data before or during data entry resulting in incorrect or corrupt data. Data mining refers to extracting meaningful knowledge from large amounts of data.
Of the following choices, what is not a valid security practice related to special privileges?
A) Monitor special privilege assignments.
B) Grant access equally to administrators and operators.
C) Monitor special privilege usage.
D) Grant access to only trusted employees.
Grant access equally to administrators and operators.
Special privileges should not be granted equally to administrators and operators. Special privileges are activities that require special access or elevated rights and permissions to perform many administrative and sensitive job tasks. Assignment and usage of these privileges should be monitored, and access should be granted only to trusted employees.
Which of the following steps would not be included in a change management process?
A) Immediately implement the change if it will improve performance.
B) Request the change.
C) Create a rollback plan for the change.
D) Document the change.
Immediately implement the change if it will improve performance.
Change management processes may need to be temporarily bypassed to respond to an emergency situation, but they should not be bypassed simply because someone thinks it can improve performance. Even when a change is implemented in response to an emergency, it should still be documented and reviewed after the incident. Requesting changes, creating rollback plans, and documenting changes are all valid steps within a change management process.
When using penetration testing to verify the strength of your security policy, which of the following is not recommended?
A) Mimicking attacks previously perpetrated against your system
B) Performing attacks without management knowledge
C) Using manual and automated attack tools
D) Reconfiguring the system to resolve any discovered vulnerabilities
Performing attacks without management knowledge
Penetration testing should be performed only with the knowledge and consent of the management staff. Unapproved security testing could result in productivity loss, trigger emergency response teams, and legal action against the tester, including loss of employment. A penetration test can mimic previous attacks and use both manual and automated attack methods. After a penetration test, a system may be reconfigured to resolve discovered vulnerabilities.
An organization wants to reduce vulnerabilities against collusion and fraud from malicious employees. Of the following choices, what would not help with this goal? A) Job rotation B) Separation of duties C) Mandatory vacations D) Baselining
Baselining
Baselining is used for configuration management and would not help reduce collusion or fraud. Job rotation, separation of duties, and mandatory vacation policies will all help reduce collusion and fraud.
System architecture, system integrity, covert channel analysis, trusted facility management, and trusted recovery are elements of what security criteria? A) Quality assurance B) Operational assurance C) Life cycle assurance D) Quantity assurance
Operational assurance
Assurance is the degree of confidence you can place in the satisfaction of security needs of a computer, network, solution, and so on. Operational assurance focuses on the basic features and architecture of a system that lend themselves to supporting security.
Of the following choices, what indicates the primary purpose of an intrusion detection system (IDS)? A) Detect abnormal activity. B) Diagnose system failures. C) Rate system performance. D) Test a system for vulnerabilities.
Detect abnormal activity.
An IDS automates the inspection of audit logs and real-time system events to detect abnormal activity indicating unauthorized system access. While IDSs can detect system failures and monitor system performance, they don’t include the ability to diagnose system failures or rate system performance. Vulnerability scanners are used to test systems for vulnerabilities.
What is the most important aspect of marking media? A) Date labeling B) Content description C) Electronic labeling D) Classification
Classification
Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn’t as important as marking the classification. Electronic labels or marks can be used, but when they are used, the most important information is still the classification of the data.
Which of the following attacks sends packets with the victim's IP address as both the source and the destination? A) Land B) Spamming C) Teardrop D) Ping flood
Land
In a land attack, the attacker sends a victim numerous SYN packets that have been spoofed to use the same source and destination IP address as the victim’s IP address. Spamming attacks send unwanted email. A teardrop attack fragments traffic in such a way that data packets can’t be put together. A ping flood attack floods the victim with ping requests.
Backup tapes have reached the end of their life cycle and need to be disposed of. What should be done with the tapes?
A) Throw them away. Because they are at the end of their life cycle, data cannot be obtained from them.
B) Purge the tapes of all data before disposing of them.
C) Erase data off the tapes before disposing of them.
D) Store the tapes in a storage facility.
Purge the tapes of all data before disposing of them.
The tapes should be purged, ensuring that data cannot be recovered using any known means. Even though tapes may be at the end of their life cycle, they can still hold data and should be purged before throwing them away. Erasing doesn’t remove all usable data from media, but purging does. There is no need to store the tapes if they are at the end of their life cycle.
How does a SYN flood attack work?
A) Exploits a packet processing glitch in Windows systems
B) Uses an amplification network to flood a victim with packets
C) Exploits a three-way handshake used by TCP
D) Sends oversized ping packets to a victim
Exploits a three-way handshake used by TCP
A SYN flood attack disrupts the TCP three-way handshake process by never sending the third packet. It is not unique to any specific operating system such as Windows. Smurf attacks use amplification networks to flood a victim with packets. A ping-of-death attack uses oversized ping packets.
Which of the following is not considered a denial-of-service attack? A) Teardrop B) Smurf C) Ping of death D) Spoofing
Spoofing
Spoofing is used by attackers to hide their identity in a variety of attacks but is not an attack by itself. Teardrop, smurf, and ping of death are all types of denial-of-service attacks.
Which of the following types of intrusion detection systems (IDSs) is effective only against known attack methods? A) Behavior-based B) Host-based C) Knowledge-based D) Network-based
Knowledge-based
A knowledge-based (or signature-based) IDS is effective only against known attack methods. A behavior-based IDS starts by creating a baseline of activity to identify normal behavior and then measures system performance against the baseline to detect abnormal behavior, allowing it to detect previously unknown attack methods. Both host-based and network-based systems can be knowledge based, behavior based, or a combination of both.
