Security Operations (OPS) Flashcards

Question

Conclusive Evidence

Answer 1

Irrefutable, cannot be contradicted Requires no other corraboration

Answer 2

A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack

Answer 3

Collection of component CI’s that make another CI

Answer 4

Component whose state is recorded

Answer 5

Mitigate damage by isolating compromised systems from the network.

Answer 6

Supports or substantiates other evidence presented in a case

Answer 7

Unused network space that may detect unauthorized activity

Answer 8

Individuals and departments responsible for the storage and safeguarding of computerized data.

Answer 9

A database that contains the name, type, range of values, source and authorization for access for each data element

Answer 10

Is a country or location that has no laws or poorly enforced laws

Answer 11

The property that data meet with a priority expectation of quality and that the data can be relied upon.

Answer 12

Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes.

Answer 13

Systems attempt to detect and block exfiltration attempts. These systems have the capability of scanning for keywords and patterns.

Answer 14

Individuals, normally managers or directors, who have responsibility for the integrity, accurate reporting and use of computerized data.

Answer 15

Real-time data backup ( Data Mirroring)

Answer 16

External communications

Answer 17

Protection of stored or displayed information by removal/reduction of the magnetic field (demagnetization).

Answer 18

Identification and notification of an unauthorized and/or undesired action

Answer 19

Bolt down hardware

Answer 20

Only modified files, doesn’t clear archive bit. Advantage: full and only last one needed, Intermediate time between.

Answer 21

Can prove fact by itself and does not need any type of backup. Testimony from a witness; one of their 5 senses. Oral: case can’t stand on it alone Oral: does not need other evidence to substantiate

Answer 22

Senses a break or change in a circuit magnets pulled lose, wires door, pressure pads

Answer 23

Periodic, automatic and transparent backup of data in bulk.

Answer 24

Occurs after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments

Answer 25

Can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.

Answer 26

The legal action of luring an intruder, like in a honeypot

Answer 27

Refers to the amount of privileges granted to users, typically when first provisioning an account. A user audit can detect when employees have excessive privileges

Answer 28

The illegal act of inducing a crime; the individual had no intent of committing the crime at first

Answer 29

Malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization. Often with the intent of disclosing or selling the information to a competitor or other interested organization (such as a foreign government). Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization. Countermeasures are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

Answer 30

Must be preserved and identifiable Sufficient –persuasive enough to convince one of its validity Reliable –consistent with fact, evidence has not been tampered with or modified Relevant –relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts Permissible – lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence Preserved and identifiable – collection, reconstruction Identification labeling, recording serial number etc. Evidence must be preserved and identifiable

Answer 31

1. Discovery 2. Protection 3. Recording 4. Collection and identification 5. Analysis 6. Storage, preservation, transportation 7. Present in court 8. Return to owner

Answer 32

Allows officials to seize evidence before it's destroyed (police team fall in)

Answer 33

Most conservative from a security perspective

Answer 34

Program execution is terminated and system protected from hardware or software compromise occurs DOORS usually

Answer 35

Or resilient system: reboot, selected, non-critical processing is terminated

Answer 36

Switches to hot backup

Answer 37

Backup critical information thus enabling data recovery

Answer 38

The event signaling an IDS to produce an alarm when no attack has taken place

Answer 39

A failure of an IDS to detect an actual attack

Answer 40

An alert or alarm that is triggered when no actual attack has taken place

Answer 41

Mitigation of system or component loss or interruption through use of backup capability.

Answer 42

Carried out to unlawfully obtain money or services.

Answer 43

All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming

Answer 44

System can restore functional processes automatically

Answer 45

Carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person’s reputation.

Answer 46

Want to verify their skills as intruders

Answer 47

Often combine political motivations with the thrill of hacking.

Answer 48

Review the contents. This may include a review of Personal computers & Smartphones

Answer 49

Second-hand data not admissible in court

Answer 50

Something a witness hears another one say. Business records and all that’s printed or displayed. Exception: audit trails and business records when the documents are created in the normal course of business.

Answer 51

Information that, if made public or even shared around the organization, could seriously impede the organization's operations

Answer 52

Monitors activity on a single computer, including process calls and information recorded in firewall logs. Often examines events in more detail than NIDS, can pinpoint specific files compromised in an attack. Can track processes employed by the attacker. A benefit over NIDSs is that it can detect anomalies on the host system.

Answer 53

Redundant component that provides failover capability in the event of failure or interruption of a primary component.

Answer 54

Software component that manages the virtual components. Adds an additional attack surface, so it’s important to ensure it is deployed in a secure state and kept up-to-date with patches, controls access to physical resources

Answer 55

Event or series of events that adversely impact the ability of an organization to do business; suspected attack

Answer 56

A documented battle plan for coordinating response to incidents.

Answer 57

Detect Respond Report Recover Remediate Review

Answer 58

Only modified files, archive bit cleared, Advantage: least time and space, Disadvantage: first restore full then all incremental backups, thus less reliable because it depends on more components

Answer 59

loss would inconvenience the organization but disclosure is unlikely to result in financial loss or serious damage to credibility.

Answer 60

Evidence retrieval method, ultimately obtain a confession

Answer 61

Gather facts and determine the substance of the case.

Answer 62

Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources.

Answer 63

Monitors recorded information and real-time events to detect abnormal activity indicating a potential incident. Automates the inspection of logs and real-time events to find attempts and failures. An effective method of detecting many DoS and DDoS attacks. Can recognize attacks that come from external connections, such as from the Internet, and attacks that spread internally such as a malicious worm. Responds by sending alerts or raising alarms. In some cases can modify the environment to stop an attack. A primary goal is to provide a means for a timely and accurate response to attacks. Intended as part of a defense-in-depth security plan. It will work with and compliment other security mechanisms but does not replace them.

Answer 64

Includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions. If desired, administrators can disable these extra features, essentially causing it to function as an IDS.

Answer 65

ME, Africa, Indonesia

Answer 66

Most basic type of storage

Answer 67

Evenly distributed

Answer 68

No bleeding over no blinding

Answer 69

Against blinding

Answer 70

IDS detects activities and turns on lightning

Answer 71

If no tampering is done with the alarm wires

Answer 72

Audible at least 4000 feet

Answer 73

every time you make contact with another it results in an exchange of materials for both physical and digital evidence.

Answer 74

Record of system activity, which provides for monitoring and detection.

Answer 75

System administrator intervention is required to return the system to a secure state

Answer 76

A branch of computer forensic analysis. Involves the identification and extraction of information from storage. This may include the following: Magnetic (e.g., hard disks, tapes) Optical (e.g., CDs, DVDs, Blu-ray discs) Memory (e.g., RAM, solid state storage) Techniques used may include the recovery of deleted files from unallocated sectors of the physical disk, the live connection to a computer system (especially useful when examining encrypted), and the static examination of forensic images of storage.

Answer 77

Designed to extract secret information.

Answer 78

Means, Opportunity and Motive Used in determining suspects

Answer 79

Continuous surveillance, to provide for detection and response of any failure in preventive controls.

Answer 80

wave pattern movement sensors

Answer 81

Mean Time Between Failures (Useful Life) = MTTF + MTTR

Answer 82

Often depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log activity. These include: Intrusion detection and prevention system logs, data captured by a flow monitoring system, Packet captures deliberately collected during an incident. Logs from firewalls and other security devices. Collect and correlate information from these disparate sources and produce as comprehensive a picture of activity as possible.

Answer 83

Server optimized for providing file-based data storage to the network. Unlike a File Server, a NAS unit has no input or output devices, and the OS is dedicated for providing storage services.

Answer 84

Scans all outgoing looking for specific variables. If a user sends out a restricted file, the system will detect it and prevent it from leaving the organization. Sends an alert, such as an email to an administrator.

Answer 85

Monitors and evaluates network activity to detect attacks or event anomalies. Cannot monitor content of encrypted traffic but can monitor other packet details. Just one can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

Answer 86

Data or interference that can trigger a false positive

Answer 87

Most preferred in the legal investigation; pages are attached to a binding.

Answer 88

Communication of a security incident to stakeholders and data owners.

Answer 89

Utilization after initial use

Answer 90

Requires witnesses to testify only about the facts of the case; cannot be used as evidence in the case.

Answer 91

Involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also

Answer 92

Through sensing changes in temperature

Answer 93

Light beams interrupted (as in an store entrance)

Answer 94

A very cold site.

Answer 95

Comes with door

Answer 96

Controls deployed to avert unauthorized and/or undesired actions.

Answer 97

Combination or electrical lock

Answer 98

Define the way in which the organization operates.

Answer 99

Owned and operated by the customer. System provides many of the features in-house

Answer 100

Customer view taken into account

Answer 101

Magnetic field shows presence around an object

Answer 102

False vulnerability in a system that may attract an attacker

Answer 103

Degaussing or overwriting to be removed

Answer 104

RAID 0 Striped, one large disk out of several. Improved performance but no fault tolerance RAID 1 Mirrored drives: fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed RAID 2 not used commercially. Hammering Code Parity/error RAID 3 Striped on byte level with extra parity drive. Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives RAID 4 Same as Raid 3 but striped on block level; 3 or more drives RAID 5 Striped on block level, parity distributed over all drives. Requires all drives but one to be present to operate hot. Swappable. Interleave parity, recovery control; 3 or more drives RAID 6 Dual Parity; parity distributed over all drives. Requires all drives but two to be present to operate hot. Swappable. RAID 7 Same as raid 5 but all drives act as one single virtual disk

Answer 105

Circumvent a pin tumbler lock

Answer 106

Measures followed to restore critical functions following a security incident.

Answer 107

A group of hard drives working as one storage unit for the purpose of speed and fault tolerance

Answer 108

Use of a backup server(s) to protect information and essential processes in the event of a primary system failure.

Answer 109

Potentially retrievable data residue that remains following intended erasure of data.

Answer 110

Real-time, automatic and transparent backup of data.

Answer 111

Policy, procedures, a team

Answer 112

Criminal act of destruction or disruption committed against an organization by an employee. It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.

Answer 113

Goes back to the primary site to normal processing environmental conditions. Clean, repair, save what can be saved. Can declare when primary site is available again

Answer 114

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. The main motivation behind these attacks is the “high” of successfully breaking into a system. Service interruption. An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Website defacements common

Answer 115

Copies of documents. Not as strong as best. A copy is not permitted if the original (Best) is available. Oral like Witness testimony

Answer 116

Group of independent servers which are managed as a single system. All servers are online and take part in processing service requests. All share the same OS and application software vs. grid devices that can have different OSs while still working on same problem.

Answer 117

Guidelines within an organization that control the rules and configurations of an IDS

Answer 118

The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity

Answer 119

Conduct forensic reviews of applications or the activity that takes place within a running application. In some cases, conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities. In other cases, review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

Answer 120

Controlled area only accessible for approved users

Answer 121

A subnetwork with storage devices servicing all servers on the attached network.

Answer 122

Third party, commercial services provide alternate backups and processing facilities. Most common of implementations!

Answer 123

When an unexpected kernel or media failure happens and the regular recovery procedure

Answer 124

System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources

Answer 125

1. Rebooting system in single user mode or recovery console, so no user access is enabled 2. Recovering all file systems that were active during failure 3. Restoring missing or damaged files 4. Recovering the required security characteristic, such as file security labels 5. Checking

Answer 126

Purpose of a terrorist attack is to disrupt normal life and instill fear

Answer 127

Launched only for the fun of it. Pride, bragging rights

Answer 128

Highly sensitive internal documents that could seriously damage the organization if such information were lost or made public

Answer 129

An event that triggers an IDS to produce an alarm and react as though a real attack were in progress

Answer 130

Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems.

Answer 131

Cylinder slot

Answer 132

- Operational - Criminal - Civil - eDiscovery

Answer 133

Legislative: writes (statutory laws) Executive: enforces (administrative laws) Juridical: interprets laws (makes common laws out of court decisions)

Answer 134

Criminal: individuals in violation; punishment mostly imprisonment Civil: wrongs against individual or organization that result in a damage or loss. Punishment can include financial penalties. AKA tort (I’ll Sue You!) Jury decides liability Administrative/Regulatory: – how industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties

Answer 135

Why certain people fall prey to crime and how lifestyle affects their chances

Answer 136

Hanging, with a key

Answer 137

Does not require a hot spare drive or disk

Answer 138

piracy act of copying software from top notch brands and distributing over the Internet

Answer 139

Colocation cloud combines the benefits of colocation and cloud computing to provide a comprehensive solution that addresses the limitations of traditional data management approaches.

Answer 140

defends from attacks

Answer 141

handles security incidents