Security Operations

Question 1

Q. 1 Which of the following is NOT a precaution that needs to be taken before monitoring email?

Coming up with strict procedures that define under what circumstances email may be searched
Posting a notice visible to all stating that email is company information subject to search
Issuing monitoring tools to all email administrators
Making sure that all employees know that email is being monitored

Answer 1

Issuing monitoring tools to all email administrators

Note
Issuing monitoring tools to email administrators is not a precaution. The other answers are all prudent steps that need to be taken before any monitoring is performed.

Question 2

Q. 2 Entrapment is defined as

Leading someone to commit a crime that he or she wouldn’t otherwise have committed
Monitoring with the intent of recording a crime
Paying someone to commit a crime
Being caught with criminal evidence in one’s possession

Answer 2

Leading someone to commit a crime that he or she wouldn’t otherwise have committed

Note
Entrapment refers to the activities that lure an individual into committing a crime that he or she wouldn’t have otherwise committed.

Question 3

Q. 3 A DRP checklist test

Is a basic review of disaster recovery procedures
Is a test of backup system business resumption procedures
Is a test of production system recovery procedures
Is a test of business process failover procedures

Answer 3

Is a basic review of disaster recovery procedures

Note
A checklist test is the simplest form of DR test in which procedures are reviewed.

Question 4

Q. 4 The primary difference between a hot site and a warm site is

A hot site is physically closer to the organization’s data centers than a warm site
The warm site’s systems don’t have the organization’s data installed
The warm site doesn’t have computer systems in it
The warm site is powered down, but the hot site is powered up and ready to go

Answer 4

The warm site’s systems don’t have the organization’s data installed

Note
A warm site is the same as a hot site, except that applications and data aren’t installed on the warm site’s systems.

Question 5

Q. 5 Which of the following are examples of a natural disaster? Drag and drop the correct answer(s) from top to bottom.

Flood
Terrorism
Pandemic
Tsunami

Answer 5

Flood
Pandemic
Tsunami

Note
Terrorism is a manmade disaster.

Question 6

Q. 6 Forensics is the term that describes

Due process
Tracking hackers from other countries
Taking steps to preserve and record evidence
Scrubbing a system in order to return it to service

Answer 6

Taking steps to preserve and record evidence

Note
Forensics is the study and activity of discovering, preserving, and recording evidence.

Question 7

Q. 7 The Disaster Recovery Plan needs to be continuously maintained because

The organization’s software versions are constantly changing
The organization’s business processes are constantly changing
The available software patches are constantly changing
The organization’s data is constantly changing

Answer 7

The organization’s business processes are constantly changing

Note
To be effective, a DRP must include all current critical business processes.

Question 8

Q. 8 What’s considered the most effective form of magnetic media erasure?

Physical destruction
Degaussing
Overwriting
Relabeling

Answer 8

Physical destruction

Note
Only complete physical destruction will positively guarantee that data cannot be recovered from magnetic storage media.

Question 9

Q. 9 Least privilege means

An analysis determines which privileges are required to complete a task
People who have high privileges delegate some of those privileges to others
The people who have the fewest access rights do all the work
Users should have the minimum privileges required to perform required tasks

Answer 9

Users should have the minimum privileges required to perform required tasks

Note
Least privilege means that users have access to only the data and functions required to perform their duties.

Question 10

Q. 10 A data processing facility on truck trailers or in portable buildings is known as

A tornado magnet
A migratory backup site
A rolling backup site
An semi-permanent backup site

Answer 10

A rolling backup site

**Note**
A rolling (or mobile) backup site is a portable site located on a truck trailer or other portable facility.

Question 11

Q. 11 What are the types of DRP tests? Drag and drop the correct answer(s) from top to bottom.

Checklist
Full interruption
Parallel
Simulation
Walkthrough

Answer 11

Checklist
Full interruption
Parallel
Simulation
Walkthrough

Note
The five types of DRP tests are checklist, walkthrough, simulation, parallel, and full interruption.

Question 12

Q. 12 How is the organization’s DRP best kept up-to-date?

With random audits to identify changes in business processes
By maintaining lists of current software versions, patches, and configurations
By maintaining personnel contact lists
By regularly testing the DRP

Answer 12

By regularly testing the DRP

Note
Audits are useful for revealing changes that may be needed in the DRP.

Question 13

Q. 13 The practice of separation of duties

Provides variety by rotating personnel among various tasks
Helps to prevent any single individual from compromising an information system
Ensures that the most experienced persons get the best tasks
Is used in large 24x7 operations

Answer 13

Helps to prevent any single individual from compromising an information system

Note
Separation of duties ensures that no single individual has too many privileges, which can lead to a security incident or fraud.

Question 14

Q. 14 The process of identifying the reason for an incident is known as

Predictive analytics
Quality control
Finger pointing
Root cause analysis

Answer 14

Root cause analysis

Note
Root cause analysis is used to find the reason that a problem or incident occurred.

Question 15

Q. 15 A parallel DRP test

Is resource intensive and rarely used
Tests the full responsiveness by shutting down production systems
Runs in parallel with production processing
Is a paper exercise to test theoretical response to a disaster

Answer 15

Runs in parallel with production processing

Note
A parallel test is a full test that DOES NOT shut down production systems.

Question 16

Q. 16 Enticement is defined as

Being caught with criminal evidence in one’s possession
Leading someone to commit a crime that they wouldn’t otherwise have committed
Monitoring with the intent of recording a crime
Leading someone toward evidence after a crime has already been committed

Answer 16

Leading someone toward evidence after a crime has already been committed

Note
Enticement is used to keep a criminal at the scene of a crime. In the context of computer crime, a honeypot is a great way to keep an intruder around while his or her origin is traced.
Both entrapment and enticement involve persuading or leading someone to commit an unlawful act. Entrapment involves causing someone to commit an unlawful act that that person would not otherwise have committed. Enticement involves causing someone to commit an unlawful act (such as attacking a honeypot that records further evidence of a crime) after that person has already committed a crime (such as hacking into the network where the honeypot is located). Entrapment is illegal; enticement is not illegal. However, evidence collected through enticement may or may not be admissible in court proceedings.

Question 17

Q. 17 Multiple versions of a DRP in the organization will

Ensure all essential personnel have a copy of the DRP
Provide a record of changes to the DRP for auditing purposes
Cause confusion during a disaster
Demonstrate due diligence in the event of civil litigation

Answer 17

Cause confusion during a disaster

Note
Only one version of the DRP should be available, in order to avoid confusion about the most current business processes, roles, and responsibilities.

Question 18

Q. 18 Which of the following is NOT a security issue regarding single-user mode?

Authentication is disabled on all network services, such as Telnet and FTP
The administrator has full root privileges and can make system changes
Security features are disabled in single-user mode
The administrator can transmit information off the system without a trace

Answer 18

Authentication is disabled on all network services, such as Telnet and FTP

Note
Authentication being disabled on network services, such as Telnet and FTP, are security concerns on any system, not just only a system operating in single-user mode. Root privileges, disabled security features, and the ability to transmit information without detection are all important security concerns inherent to a system operating in single-user mode.

Question 19

Q. 19 Why are communications with the media important during a disaster?

Emergency communications with personnel occur through the media
The media can report official status instead of relying on rumors
It’s required by the Securities and Exchange Commission
It’s recommended by the Business Contingency Planning Association

Answer 19

The media can report official status instead of relying on rumors

Note
In the absence of official communication with the media, inaccurate information about the disaster and its impact is likely to be spread.

Question 20

Q. 20 A witness

Offers an opinion based on the facts of a case and on personal expertise
Is someone who was present at the scene of the crime
Has direct personal knowledge about the event in question
Can testify in criminal proceedings only

Answer 20

Has direct personal knowledge about the event in question

Note
A witness testifies to the facts of a case as he or she understands them.

Question 21

Q. 21 What’s the purpose of off-site media storage?

An alternate backup media set in the event of a program bug
An alternate backup media set in the event of an operator error
An alternate backup media set in the event of a catastrophic hardware failure
An alternate backup media set in the event that the data center is destroyed

Answer 21

An alternate backup media set in the event that the data center is destroyed

Note
The primary intent for off-site media storage is to have a set of backup media available in case the primary data center is damaged or destroyed in the event of a disaster.

Question 22

Q. 22 The number one priority during any disaster should always be

Communications
Personnel safety
Resumption of core business functions
Security of physical facilities

Answer 22

Personnel safety

Note
The lives and safety of people always come first.

Question 23

Q. 23 The purpose of a honeypot is to

Log an intruder’s actions
Act as a decoy to lure attackers away from the real target, study attack methods, and collect evidence
Deflect Denial of Service attacks away from production servers
Provide direct evidence of a break-in

Answer 23

Act as a decoy to lure attackers away from the real target, study attack methods, and collect evidence

Note
A honeypot is designed to keep an intruder sniffing around long enough for investigators to determine his or her origin and/or identity.

Question 24

Q. 24 What’s the potential security benefit of rotation of duties?

It reduces the risk that personnel will perform unauthorized activities
It ensures that all personnel are familiar with all security tasks
It’s used to detect covert activities
It ensures security because personnel aren’t too familiar with their duties

Answer 24

It reduces the risk that personnel will perform unauthorized activities

Notes
Rotation of duties helps to prevent situations in which individuals are potentially tempted to perform unauthorized activities by limiting familiarity and increasing the risk of discovery by another individual subsequently performing the same duties.

Question 25

Q. 25 A hot site is the most expensive because Travel costs can be high Duplicate staff salaries are high HVAC systems are expensive to operate It requires constant maintenance to keep systems synchronized

Answer 25

It requires constant maintenance to keep systems synchronized **Notes** All systems, applications, and data must be kept current with the production site, including upgrades and patches.

Question 26

Q. 26 The process of reviewing and approving changes in production systems is known as Availability management Configuration management Change management Resource control

Answer 26

Change management **Notes** Change management is the function that controls changes made to a production environment.

Question 27

Q. 27 Remote journaling refers to A mechanism that transmits transactions to an alternate processing site A procedure for maintaining multiple copies of change control records A procedure for maintaining multiple copies of configuration management records A mechanism that ensures the survivability of written records

Answer 27

A mechanism that transmits transactions to an alternate processing site **Note** Remote journaling keeps data up-to-date at an alternate site.

Question 28

Q. 28 Which of the following tasks would typically be performed by a security administrator? Drag and drop the correct answer(s) from top to bottom. ``` Change file permissions Virtualizing servers Configuring user privileges Installing system software Reviewing audit data ```

Answer 28

Configuring user privileges Reviewing audit data Change file permissions **Note** Virtualizing servers and installing system software are tasks typically performed by a system administrator, not a security administrator.

Question 29

Q. 29 What’s the purpose of a salvage team? To resume critical business operations at the alternate processing site To retrieve any needed items from off-site storage To return the primary processing site to normal business operations To salvage any usable or marketable assets after a disaster

Answer 29

To return the primary processing site to normal business operations **Note** The salvage team is responsible for resuming normal business operations at the primary site(s).

Question 30

Q. 30 What’s the purpose of a recovery team? To resume critical business operations at the alternate processing site To retrieve any needed items from off-site storage To return the primary processing site to normal business operations To salvage any usable or marketable assets after a disaster

Answer 30

To resume critical business operations at the alternate processing site **Note** The recovery team is responsible for getting critical business operations up and running as soon as possible at an alternate site.

Question 31

Q. 31 An expert witness Offers an opinion based on the facts of a case and on personal expertise Is someone who was present at the scene of the crime Has direct personal knowledge about the event in question Can testify in criminal proceedings only

Answer 31

Offers an opinion based on the facts of a case and on personal expertise **Note** An expert witness offers his or her opinion based on the facts of the case and on personal expertise.

Question 32

Q. 32 The maximum period of time in which data might be lost if a disaster strikes is known as RTO RPO MTD MTBF

Answer 32

RPO **Note** Recovery point objective (RPO) is the maximum period of time in which data might be lost if a disaster strikes. RPO refers to the oldest acceptable backup of data for a specific application in an organization. For example, if the RPO is 24 hours, then the maximum period of time in which data might be lost if a disaster strikes is 24 hours. Recovery time objective (RTO) is the maximum acceptable amount of time that it takes to recover data from a backup. MTD refers to month-time-date and has no application in disaster recovery or business continuity as it refers to how long an organization’s systems can be down after a disaster has occurred. For example, MTD for critical systems might be one hour and less critical systems might have an MTD of 4 hours, 24 hours, or one week. MTBF refers to mean time between failures and is used to express the average reliability of a system or component.

Question 33

Q. 33 When is a disaster considered to be over? When the governor declares the end of a state of emergency When the recovery phase has begun When all business operations have resumed at alternate operations site(s) When all business operations have resumed at the primary operations site(s)

Answer 33

When all business operations have resumed at the primary operations site(s) **Note** A disaster is considered to be over when all normal business operations have resumed at the primary site(s).

Question 34

Q. 34 Which of the following is NOT a concern for a hot site? Programs and data at the hot site must be protected A widespread disaster will strain the hot site’s resources A hot site is expensive because of the controls and patches required Computer equipment must be shipped quickly to the hot site in the event of a disaster

Answer 34

Computer equipment must be shipped quickly to the hot site in the event of a disaster **Note** A hot site already has computer equipment installed and ready.

Question 35

Q. 35 Backing up data by sending it through a communications line to a remote location is known as what? Drag and drop the correct answer(s) from top to bottom. Transaction journaling Off-site storage Electronic journaling Electronic vaulting

Answer 35

Electronic vaulting **Note** Electronic vaulting describes backing up data to another location over a communications network.

Question 36

Q. 36 The purpose of a Service Level Agreement is To guarantee a minimum performance level for an application or function To guarantee the maximum performance level for an application or function To identify gaps in availability of an application To correct issues identified in a security audit

Answer 36

To guarantee a minimum performance level for an application or function **Note** An SLA defines minimum performance metrics required in an application or service.

Question 37

Q. 37 What’s the purpose of a Criticality Assessment? It identifies the funding required during a disaster It identifies the critical personnel in the organization It identifies the critical path to full disaster recovery It identifies the processes and resources that are most important for business operations

Answer 37

It identifies the processes and resources that are most important for business operations **Note** A criticality assessment is used to identify the most critical business processes and functions in an organization.

Question 38

Q. 38 The process of maintaining and documenting software versions and settings is known as Availability management Configuration management Change management Resource control

Answer 38

Configuration management **Note** Configuration management is the function that is used to document software versions and settings.

Question 39

Q. 39 The purpose of root cause analysis is to Determine all possible reasons for an incident Determine the primary reason for an incident Determine the source of a malware attack Determine which forensic evidence is significant

Answer 39

Determine the primary reason for an incident **Note** Root cause analysis determines the main reason that an incident occurred.

Question 40

Q. 40 Standards for the reuse of magnetic media specify what minimum for magnetic media reuse? Degauss the media three times Degauss the media seven times Overwrite or format the media seven times Overwrite or format the media 21 times

Answer 40

Overwrite or format the media seven times **Note** Magnetic media must be overwritten or formatted at least seven times to ensure complete erasure to prevent recovery of data that was previously written to it.

Question 41

Q. 41 Configuration management is used to Document the approval process for configuration changes Control the approval process for configuration changes Ensure that changes made to an information system don’t compromise its security Preserve a complete history of the changes to software or data in a system

Answer 41

Preserve a complete history of the changes to software or data in a system **Note** Configuration management is used to preserve all prior settings or versions of software or hardware.