CISSP Domain 7: Security Operations
You are working to evaluate the risk of flood to an area and consult flood maps from FEMA. According to those maps, the area lies within a 200 year flood plain. What is the ARO of a flood in that region?
0.005
Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation?
1 week
When should an organization conduct a review of the privileged access that a user has to sensitive systems?
All of the above. When a user leaves the company, roles change, regular and recurring basis
Which one of the following tools helps systems administrators by providing a standard, secure template of configuration setting or operating systems and applications?
Baseline configuration
Which one of the following information sources is useful to security administrators seeking a list of information security vulnerabilities in applications, devices and operating systems?
CVE, dictionary with common security related issues
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to creat an account for a new user and assign privileges to the HR database. What wo elements of infomration must Gary verify before granting this access?
Clearance and need to know
Allie is responsible for reviewing authentication logs on her organization's network. She doesn't have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool?
Clipping, uses threshold values to select records that exceed predefined values, most interest to analysts
Carolyn is concerned that users on her network may be storing sensitive information, such as SSN, on their hard drives without proper authorization or security controls. What technology can she use to best detect this activity?
DLP
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. Ann continues her investigation and realizes that the traffic generating the alert in abnormally high volumes of inbound UDP traffic on port 53. What service typicall uses this port?
DNS
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to quires that she doesn't see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect?
DoS attack
What term is used to describe the default set of privileges assigned to a user when a new account is created?
Entitlement, privileges granted to user when account is first created/provisioned
Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor request that Darcy give testimony in court about whether, in her opinon, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide?
Expert opinion
Which one of the following mechanisms is not commonly seen as a deterrent to fraud?
Incident response
Which one of the following tasks is performed by a forensic disk controller?
Intercepting and modifying or discarding commands sent to the storage device
During an incident investigation, investigators meet with a systme administrator who may have information about the incident but is not a suspect. What type of conversarion is take place during this meeting?
Interview
Richard is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are consitently taking too long to travel from source to their destination. What term describes the issue Richard is facing?
Latency
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?
Least privilege
Javier is verifying that only IT systems administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?
Least privilege
Florian is buidling a disaster recovery plan for his organization and would like to determine the amount of time that particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?
MTD (Max Tolerable Downtime)
Which one of thef ollowing individuals poses the greatest risk to security in most well-defended organizations?
Malicious insider
Which one of the following trusted recovery types doesn't fail into a secure operating state?
Manual recovery, system doesn't fail into secure state but requires administrator to manually restore operations
Which one of the following events marks the completion of a DRP?
Restoring operations in the primary facility
What type of attack is show in the figure below
SYN Flood attack
Patch
An update/fix for an IT asset.
Full
All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming
Cold Site Advantage
Cost, ease of location choice. Nonexclusive. week
Smart Cards
Credential cards with one or more microchip processing that accepts or processes infomraiton and can be contact or contact less.
WARM SITE
Cross between hot and cold site. The computer facility is available but the applications may not be installed or need to be configured. External connections and other data elements that take long time to order are present. Workstations have to be delivered and data has to be restored.
Islamite and other Religious laws
Middle East, Africa, Indonesia and USA
Incident Response Lifecycle
Response Capability (policy, procedures, a team), Incident response and handling (Triage, investigation, containment, and analysis & tracking), Recovery (Recovery / Repair), Debriefing / Feedback (External Communications)
Remanence
The measure of the existing magnetic field on the media after degaussing
Indemnification
The party to party litigation costs resulting from its breach of warranties
Disadvantage of Cold Site
Very lengthy time of restoration, false sense of security but better than nothing.
RTO 12 days
warm site
Tumbler lock
cylinder slot
Warded lock
hanging lock with a key
Normal Operations Resume plan
has all procedures on how the company will return processing from the alternate site
Line supervision check
if no tampering is done with the alarm wires
Multiplexing Attacks:
replayed (video images)
If a user sends out a file containing restricted data, the DLP system
will detect it and prevent it from leaving the organization. The system will send an alert, such as an email to an administrator.
Legislative
writing laws (statutory laws)
Civil law
wrongs against individual or organization that result in a damage or loss. Punishment can include financial penalties. AKA tort law (I'll Sue You!) Jury decides liability
Which one of the following statements best describes a zero-day vulnerability?
An attack previously unknown to the security community
Dual Site Advantage
costs, multiple sites will share resources and support. Disadvantage of Dual Site a major disaster could affect both sites; multiple configurations have to be administered.
PROTOTYPING
customer view taken into account
Uniform Computer Information Transactions Act (UCITA)
is a federal law that provides a common framework for the conduct of computer-related business transactions.
RAID 7
is same as raid5, but all drives act as one single virtual disk
Espionage
is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization.
Identification
labeling, recording serial number etc.
Permissible
lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
Central stations
less than 10mins travel time for e.g. an private security firm
Photoelectric
light beams interrupted (as in an store entrance)
Oral evidence
like Witness testimony
Fraud and Crime
like vandalism, looting and people grabbing the opportunity
Mitigation
limit the effect or scope of an incident
Database shadowing
live processing of remote journaling and creating duplicates of the database sets to multiple servers
proximity or capacitance detector
magnetic field detects presence around an object
First step by change process
management approval. NB: when a question is about processes, there must always be management's approval as First step.
Recovery team
mandated to implement recovery after the declaration of the disaster
The evidence must be competent
meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
MOM (Determine suspects)
means, opportunity and motive
Tabletop exercise
members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.
Acoustical detection
microphones, vibrations sensors
What is the minimum number of disks required to implement RAID level 1?
min 2 disk required for RAID 1
RTO 35 days
mobile site
HIDS Host-based IDS
monitors activity on a single computer, including process calls and information recorded in firewall logs.
NIDS Network-based IDS
monitors and evaluates network activity to detect attacks or event anomalies.
Simulation tests
more comprehensive and may impact one or more noncritical business units of the organization, all support personnel meet in a practice room
Fail Closed/secure
most conservative from a security perspective
Notebook
most preferred in the legal investigation is a bound notebook, pages are attached to a binding.
Evidence
must be preserved and identifiable
Passive device
no battery, uses power of the field
Controlled lightning
no bleeding over no blinding Standby Lightning timers
Oral
not best evidence though it may provide interpretation of documents, etc.
A copy Secondary Evidence
not permitted if the original, Best Evidence, is available -Copies of documents.
RAID 2
not used commercially. Hammering Code Parity/error
Cipher Lock
Electrical
Veronica is considering the implementation of a database recovery mechanism recommeded by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an offisite location each night. What type of database recovery technique is the consultant describing?
Electronic vaulting, automated DB backup approach, DB backups are moved from primary to remote server on scheduled daily basis.
Renee is a software developer who writes code in Node.js for her organization. The company is consdiering moving from a self hosted Node.js environment to one where Renee will run her code on application servers managed by a cloud vendor. What type of cloud solution is Renees's company considering?
PaaS
Auxiliary Station systems
on alarm ring out to local fire or police
RAID 0 Striped
one large disk out of several -Improved performance but no fault tolerance
Incremental
only modified files, archive bit cleared, Advantage: least time and space, Disadvantage first restore full then all incremental backups, thus less reliable because it depends on more components
Differential
only modified files, doesn't clear archive bit. Advantage: full and only last diff needed, Intermediate time between full and diff.
People
operators, management, technical support persons
Preset
ordinary door lock
Clearing
overwriting media to be reused
Proprietary systems
owned and operated by the customer. System provides many of the features in-house
Supplies and equipment
paper, forms HVAC Documenting the continuity strategy
Remote Journaling
parallel processing of transactions to an alternative site via communication lines
An IDS
part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.
Locard's Exchange Principle
perps leave something behind
Sufficient
persuasive enough to convince one of its validity
BCP committee
representatives from all department Senior staff (ultimate responsibility, due care/diligence) Various business units (identify and prioritize time critical systems) Information Systems Security Administrator People who will carry out the plan (execute)
Employee relations
responsibility towards employees and families
In other cases, forensic analysis may be asked to
review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.
Desk Check
review plan contents
RAIT
robotic mechanisms to transfer tapes between storage and drive mechanisms
Network-based DLP
scans all outgoing data looking for specific data. Administrators would place DLPs on the edge of the negative to scan all data leaving the organization.
Hearsay
secondhand data not admissible in court
Tape
sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries
CI's Build list
set of versions of component
Slack space on a disk
should be inspected for hidden data and should be included in a disk image
Hypervisor
software component that manages the virtual components. The hypervisor adds an additional attack surface, so it's important to ensure it is deployed in a secure state and kept uptodate with patches, controls access to physical resources
Hearsay Evidence
something a witness hears another one say. Also business records are hearsay and all that's printed or displayed.
Failover
switches to hot backup.
Recovery procedures
system should restart in secure mode Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals
Data loss prevention
systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns.
Entrapment
the illegal act of inducing a crime, the individual had no intent of committing the crime at first
Enticement
the legal action of luring an intruder, like in a honeypot
Techniques used for media analysis
the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.
Confidentiality breaches
theft of sensitive information
Electronic vaulting
transfer of backup data to an offsite storage location via communication lines
Computer Crime Laws 3 types of harm
unauthorized intrusion, unauthorized alteration or destruction malicious code
Integrity breaches
unauthorized modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances
Dark-net
unused network space that may detect unauthorized activity
Object reuse
use after initial use
Facilities
use of main buildings or any remote facilities
Primary Evidence
used at the trial because it is the most reliable.
Original documents
used to document things such as contracts -NOTE: no copies!
Territorial Reinforcements
walls fences flags
Hackers and crackers
want to verify their skills as intruders
Emergency restart
when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments
System cold start
when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.
Fault-tolerant
continues to function despite failure
Executive
enforces laws (administrative laws)
Security Incident
event or series of events that adversely impact the ability of an organization to do business
Security intrusion
evidence attacker attempted or gained access
Disadvantage of Service Bureau
expense and it is more of a short time option.
Hot Site Disadvantage:
extra administrative overhead, costly, security controls needs to be installed at the remote facility too. Exclusive to one company hours to be up
Pseudo flaw
false vulnerability in a system that may attract an attacker
Disk
fast read/write, less robust than tape
RAID 1 Mirrored drives
fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed
Business Attacks
focus on illegally obtaining an organization's confidential information.
Target Hardening
focus on locks, cameras guards
Interviewing
gather facts and determine the substance of the case.
The terms of UCITA
give legal backing to the previously questionable practices of shrink-wrap licensing and clickwrap licensing by giving them status as legally binding contracts.
Salvage team
goes back to the primary site to normal processing environmental conditions. Clean, repair, Salvage. Can declare when primary site is available again
Server clustering
group of independent servers which are managed as a single system. All servers are online and take part in processing service requests.
Natural Access control
guidance of people by doors fences bollards lightning. Security zones defined natural surveillance, territorial reinforcements, target hardening
Administrative/Regulatory law
how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties
Fail Hard - BSOD
human to see why it failed
Bind variables
in SQL used to enhance performance of a database
IPS intrusion prevention system
includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions.
Criminal law
individuals that violate government laws. Punishment mostly imprisonment
Noise and perturbation
inserting bogus information to hope to mislead an attacker
Forensic Disk Controller
intercepting and modifying or discarding commands sent to the storage device
Parallel tests
involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also
Full-interruption tests
involve relocating personnel to the alternate site and shutting down operations at the primary site.
Data haven
is a country or location that has no laws or poorly enforced laws
Financial disbursement, Media relations
Find someone to run it
The main motivation behind these attacks is the "high" of successfully breaking into a system
Script kiddies
Which one of the following is not requirement for evidence to be admissible in court?
The evidence must be tangible
MTTF
(mean time to failure)
Civil law
Europe, South America
3 branches for laws:
Legislative, Executive, Judicial
Types of Law
Operational, Criminal, Civil, eDiscovery
Other data center backup alternatives
Rolling/mobile sites Mobile homes or HVAC trucks.
Fences
Small mesh and high gauge is most secure 3-4 feet deters casual trespasser
Egress filtering
The practice of monitoring and potentially restricting the flow of information outbound from one network to another
Photo id card:
dumb cards
Financial Attacks
carried out to unlawfully obtain money or services.
Oral Evidence
is a type of Secondary Evidence so the case can't simply stand on it alone
Testimony from a witness
one of their 5 senses
Security incident
suspected attack
CI's used to build a CI Software Library
controlled area only accessible for approved users
Sabotage
is a criminal act of destruction or disruption committed against an organization by an employee.
Forensic Disk Controller Steps
Write Blocking, intercepts write commands sent to the device and prevents them from modifying data on the device Return data requested by a read operation Returning access significant information from device Reporting errors from device to forensic host
Multiple centers
(aka dual sites) Processing is spread over several computer centers. Can be managed by same corporation (inhouse) or with another organization (reciprocal agreement).
Hacktivists
(combination of hacker and activist), often combine political motivations with the thrill of hacking.
accunicator system
(detects movements on screen and alerts guards)
Optical media
(e.g., CDs, DVDs, Bluray discs)
Memory
(e.g., RAM, solid state storage)
Magnetic media
(e.g., hard disks, tapes)
Recording
(for later review) = detective control
MTTR
(mean time to repair)
EVIDENCE LIFECYCLE
1. Discovery 2. Protection 3. Recording 4. Collection and identification 5. Analysis 6. Storage, preservation, transportation 7. Present in court 8. Return to owner
Common criteria hierarchical recovery types
1. Manual System administrator intervention is required to return the system to a secure state 2. Automatic Recovery to an secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures) 3. Automatic without Undo Loss Higher level of recovery defining prevention against the undue loss of protected objects 4. Function system can restore functional processes automatically
System recovery after a system crash
1. Rebooting system in single user mode or recovery console, so no user access is enabled 2. Recovering all file systems that were active during failure 3. Restoring missing or damaged files 4. Recovering the required security characteristic, such as file security labels 5. Checking security critical files such as system password file
Focus on business processes
1. Scope and plan initiation Consider amount of work required, resources required, management practice 2. BIA - helps to understand impact of disruptive processes 3. Business Continuity Plan development a. Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development) b. Testing 4. Plan approval and implementation Management approval Create awareness
Hot Site Advantage:
24/7 availability and exclusive use are assured. Short and long term.
Combination lock
3 digits with wheels
SQL -SUDIGR
6 basic SQL commands: Select, Update, Delete, Insert, Grant, Revoke
Honeyfarm
A centralized collection of honeypots and analysis tools
Infrared Linear Beam Sensors
A focused infrared (IR) light beam is projected from an emitter and bounced off of a reflector that is placed at the other side of the detection area
Configuration management (CM)
A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).
Change management
A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.
Security Informatn and Event Management (SIEM)
A group of technologies which aggregate information about access controls and selected system activity to store for analysis and correlation
Cipher Lock
A lock controlled by touch screen, typically 5 to 10 digits that when pushed in the right combination the lock will releases and allows entry
Mortise Lock
A lock or latch that is recessed into the edge of a door, rather than being mounted to its surface.
Rim Lock
A lock or latch typically mounted on the surface of a door, typically associated with a dead bolt type of lock
Intrusion detection system (IDS)
A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access.
Intrusion Prevention System (IPS)
A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access.
Data Leak Prevention (DLP)
A suite of technologies aimed at stemming the loss of sensitive information that occurs in the enterprise.
Intrusion Detection System (IDS)
A technology that alerts organizations to adverse or unwanted activity
Prefabricated buildings
A very cold site.
Power users
Accounts granted greater privileges than normal user accounts when it is necessary for the user to have greater control over the system, but where administrative access is not required
Administrator accounts
Accounts that are assigned only to named individuals that require administrative access to the system to perform maintenance activities, and should be different and separate from a user's normal account.
Service accounts
Accounts used to provide privileged access used by system services and core applications
Service interruption
An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim.(Common to do website defacements)
Sandboxing
An isolated test environment that simulates the production environment but will not affect production components/data.
Statistical Anomaly-based IDS
Analyzes event data by comparing it to typical, known, or predicted traffic profiles in an effort to find potential security breaches
Media
Any object that contains data.
Mutual aid agreements (aka reciprocal agreement)
Arrangement with another similar corporation to take over processes. Advantage: cheap. Disadvantage: must be exact the same, is there enough capability, only for short term and what if disaster affects both corporations. Is not enforceable.
Script kiddies
Attackers who lack the ability to devise their own attacks will often download programs that do their work for them.
Failure preparation
Backup critical information thus enabling data recovery
Uninterruptible power supplies (UPS)
Batteries that provide temporary, immediate power during times when utility service is interrupted.
Five rules of evidence
Be authentic; evidence tied back to scene Be accurate; maintain authenticity and veracity Be complete; all evidence collected, for & against view Be convincing; clear & easy to understand for jury Be admissible; be able to be used in court
The use of the information gathered during the attack usually causes more damage than the attack itself.
Business Attacks (BA)
Optical drive
CD/DVD. Inexpensive
Facility site
CORE OF BUILDING (thus with 6 stores, on 3rd floor)
Direct Evidence
Can prove fact by itself and does not need any type of backup.
Magnetic Stripe (mag stripe) cards
Consist of a magnetically sensitive strip fused onto the surface of a PVC material, like a credit card
SERVICE BUREAU
Contract with a service bureau to fully provide alternate backup processing services.
Could be considered a cold site
In-house or external supply of hardware replacements. Stock of hardware either onsite or with a vendor. May be acceptable for warm site but not for hot site.
Live evidence
Data that are dynamic and exist in running processes or other volatile locations (e.g., system/device RAM) that disappear in a relatively short time once the system is powered down
Audit Trails
Date and time stamps Successful or not attempt Where the access was granted Who attempted access Who modified access privileges at supervisor level
Honeypot
Decoy servers or systems setup to gather information regarding an attacker or intruder into your system
Acoustic Sensors
Device that uses passive listening devices
Balanced Magnetic Switch (BMS)
Devices that use a magnetic field or mechanical contact to determine if an alarm signal is initiated
Steps for DRP
Documenting the Plan Activation and recovery procedures Plan management HR involvement Costs Required documentation Internal /external communications Detailed plans by team members
RAID 6
Dual Parity, parity distributed over all drives -requires all drives but two to be present to operate hot swappable
Business continuity Planning
Ensuring the business can continue in an emergency, 1st business organization analysis
Records and Information Management (RIM)
Essential activities to protect business information and can be established in compliance with laws, regulations, or corporate governance
Interrogation
Evidence retrieval method, ultimately obtain a confession
5Ways of processing a Root Cause Analysis
Failure Mode and Effects analysis Pareto Analysis Fault Tree Analysis Cause Mapping
Software Analysis
Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application.
Network Analysis
Forensic investigators are also often interested in the activity that took place over the network during a security incident.
HOT SITE - Internal/External
Fully configured computer facility. All applications are installed, up to date mirror of the production system. For extremely urgent critical transaction processing.
Tape Rotation Schemes
GF/Father/Son, Tower of Hanoi, Six Cartridge Weekly
RTO 5 minutes or hours
Hot site;
Incident Scene Management
ID the Scene Protect the environment ID evidence and potential sources of evidence Collect evidence - hash + Minimize the degree of contamination
Responsive areas illumination
IDS detects activities and turns on lightning NIST: for critical areas the area should be illuminated 8 feet in height with 2foot candle power
Traffic anomaly-based IDS
Identifies any unacceptable deviation from expected behavior based on actual traffic structure
Protocol Anomaly-Based IDS
Identifies any unacceptable deviation from expected behavior based on known network protocols
IPS
If desired, administrators can disable these extra features of an ______, essentially causing it to function as an IDS.
Other recovery issues
Interfacing with other groups: everyone outside the corporation
Judicial
Interprets laws (makes common laws out of court decisions)
Types of Network Forensic Analysis
Intrusion detection and prevention system logs Network flow data captured by a flow monitoring system Packet captures deliberately collected during an incident Logs from firewalls and other network security devices
Conclusive evidence
Irrefutable and cannot be contradicted, Requires no other corroboration
Potential for sabotage
It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.
COLD SITE
Least ready but most commonly used. Has no hardware installed only power and HVAC.
Advantage of Warm Site
Less costly, more choices of location, less administrative resources. Disadvantage of Warm Site it will take some time to start production processing. Nonexclusive. 12 hours to be up
FAIR INFORMATION PRACTICES
Openness Collection Limitation Purpose Specification Use Limitation Data Quality Individual Participation Security Safeguards Accountability
JBOD
MOST BASIC TYPE OF STORAGE
Honeypots/honeynets
Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy malicious or unauthorized intruders, as a means of delaying their attempts to access production data/assets. A number of machines of this kind, linked together as a network or subnet, are referred to as a "honeynet."
MTBF
Mean time between failures (Useful Life) = MTTF + MTTR
Redundant
Mirrored site, potential 0 down time
Secondary Evidence
Not as strong as best evidence.
emergency response backup operations and post disaster recovery
Plan for _______________________ maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation
Steps for Due Process
Prepare questions and topics, put witness at ease, summarize information -interview/interrogation plan Have one person as lead and 12 others involved as well never interrogate or interview alone
Need-to-know
Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization.
Aggregation
Privilege Creep, accumulate privileges
Instant Keys
Provide a quick way to disable a key by permitting one turn of the master key to change a lock
Automating much of the routine work of log review
Provide real‐time analysis of events occurring on systems throughout an organization but don't necessarily scan outgoing traffic.
Parity bits
RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives.
Striping
RAID technique; writing a data set across multiple drives.
Disaster Recover
Recover as quickly as possible Heavy IT focus Allows the execution of the BCP Needs Planning Needs Testing CRITICAL, URGENT, IMPORTANT
Opinion Rule
Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case.
End Goal for Disaster Recovery
Restore normal business operations.
RAID4
Same as Raid 3 but striped on block level; 3 or more drives
Time domain Reflectometry (TDR)
Send induced radio frequency (RF) signals down a cable that is attached to the fence fabric
Disaster Recovery Planning
Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information
Locard's exchange principle
States that when a crime is committed, the perpetrators leave something behind and take something with them, hence the exchange
RAID 5
Striped on block level, parity distributed over all drives - requires all drives but one to be present to operate hot swappable. Interleave parity, recovery control; 3 or more drives
RAID 3
Striped on byte level with extra parity drive -Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives
Corroborative Evidence
Supports or substantiates other evidence presented in a case
System reboot
System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources
Backup storage media
Tape, Disk, Optical Drive, Solid State
Criteria for Admissible Evidence
The evidence must be relevant to determining a fact. The fact that the evidence seeks to determine must be material (that is, related) to the case.
Separation of duties
The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats.
Job rotation
The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats.
Least privilege
The practice of only granting a user the minimal permissions necessary to perform their explicit job function.
Steganography
The science of hiding information
Chain of custody
The who, what, when, where, and how the evidence was handled—from its identification through its entire life cycle, which ends with destruction, permanent archiving, or returning ot owner.
Honeynet
Two or more honeypots on a network
Common law
USA, UK Australia Canada (judges)
Solid state
USB drive, security issues, protected by AES
Proximity Card (prox cards)
Use embedded antenna wires connected to a chip within the card through RF.
Expert Witnesses
Used to educate the jury, can be used as evidence
Circumstantial evidence
Used to help assume another fact, Cannot stand on its own to directly prove a fact
Wireless proximity cards
User activated System sensing
IDS intrusion detection system
automates the inspection of logs and realtime system events to detect intrusion attempts and system failures.
Data center should have:
Walls from floor to ceiling Floor: Concrete slab: 150 pounds square foot No windows in a datacenter Airconditioning should have own Emergency Power Off (EPO)
Six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:
When dealing with digital evidence, all of the general forensic and procedural principles must be applied. Upon seizing digital evidence, actions taken should not change that evidence. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
Grudge Attacks
attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person's reputation. The result of grudge attacks
Local alarms
audible alarm for at least 4000 feet far
One exception to business records
audit trails and business records are not considered hearsay when the documents are created in the normal course of business.
Hardware/ Embedded Device Analysis Forensic analysts often must review the contents of hardware and embedded devices. This may include
a review of Personal computers & Smartphones
Intrusion detection
a specific form of monitoring that monitors recorded information and realtime events to detect abnormal activity indicating a potential incident or intrusion.
Disaster
any event, natural or manmade, that can disrupt normal IT operations
Events
anything that happens. Can be documented verified and analyzed
Redundant servers
applies raid 1 mirroring concept to servers. On error servers can do a failover. This AKA server fault tolerance
IDSs
are an effective method of detecting many DoS and DDoS attacks.
Bind variables
are placeholders for literal values in SQL query being sent to the database on a server
Thrill attacks
are the attacks launched only for the fun of it. Pride, bragging rights
Countermeasures against espionage
are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.
Building
assembling a version of a CI using component
Field Powered device
active electronics, transmitter but gets power from the surrounding field from the reader
Glare protection
against blinding by lights Continuous lightning evenly distributed lightning
Power supplies
alarm systems needs separate circuitry and backup power
Multiplexer
allows multiple camera screens shown over one cable on a monitor Via coax cables (hence closed)
Exigent circumstances
allows officials to seize evidence before its destroyed (police team fall in)
An intrusion
an attacker is able to bypass or thwart security mechanisms and gain access to an organization's resources.
Configuration item (CI)
component whose state is recorded Version: recorded state of the CI
The disaster is not over until all operations have
been returned to their normal location and function (data verified at primary site as accurate)
Device lock
bolt down hardware
Transponders
both card and receiver holds power, transmitter and electronics Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems.
Media analysis
branch of computer forensic analysis, involves the identification and extraction of information from storage media.
In some cases, when malicious insiders are suspected, the forensic analyst may be asked to
conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities.
Reliable
consistent with fact, evidence has not been tampered with or modified
Uniform Computer Information Transactions Act
contains provisions that address software licensing.
Natural surveillance
cameras and guards
Attackers (espionage)
can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization.
A single NIDS
can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.
HIDS
can often examine events in more detail than an NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker.
Intrusion Detection Systems
can recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once an IDS detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack.
Endpoint-based DLP
can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.
NIDS
cannot monitor the content of encrypted traffic but can monitor other packet details.
Raking
circumvent a pin tumbler lock
Individual computing devices on a cluster vs. a grid system
cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem
RTO 1 tgt 2 weeks
cold site
The task of the network forensic analyst
collect and correlate information from these disparate sources and produce as comprehensive a picture of network activity as possible.
Configuration
collection of component CI's that make another CI
Chain of custody
collection, analysis and preservation of data Forensics uses bit-level copy of the disk
Preserved and identifiable
collection, reconstruction
Programmable
combination or electrical lock
Destruction
complete destroy preferably by burning
When investigating a hard drive
don't use message digest because it will change the timestamps of the files when the filesystem is not set to ReadOnly
FAIL SECURE
doors LOCK
FAIL SAFE
doors UNLOCK
CCTV
enables you to compare the audit trails and access logs with a visual recording
Direct Evidence
does not need other evidence to substantiate
3 states of information
data at rest (storage) data in transit (the network) data being processed (must be decrypted) / in use / endpoint
Purging
degaussing or overwriting to be removed
Network forensic analysis
depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log network activity.
Military or intelligence attack
designed to extract classified or sensitive information.
Electromechanical
detect a break or change in a circuit magnets pulled lose, wires door, pressure pads
A benefit of HIDSs over NIDSs is that HIDSs can
detect anomalies on the host system that NIDSs cannot detect.
Passive infrared
detects changes in temperature
wave pattern motion detectors
detects motions
Attackers often commit espionage with the intent of
disclosing or selling the information to a competitor or other interested organization (such as a foreign government).
Fail safe system
program execution is terminated and system protected from compromise when hardware or software failure occurs DOORS usually
Electronic Access Control (EAC) proximity readers
programmable locks or biometric systems
A primary goal of an IDS
provide a means for a timely and accurate response to intrusions.
Third party, commercial services
provide alternate backups and processing facilities. Most common of implementations!
DRP Goal
provide organized way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster (BIA has already been done, now were going to protect!)
Federal Sentencing Guidelines
provides judges and courts procedures on the prevention, detection and reporting
Terrorist Attacks
purpose of a terrorist attack is to disrupt normal life and instill fear
Advantage of Service Bureau
quick response and availability, testing is possible.
Fail soft or resilient system
reboot, selected, noncritical processing is terminated when failure occurs
RTO:
recovery time objectives. Refers to business processes not hardware.
Entitlement
refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges
Relevant
relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts
Admissible evidence
relevant, sufficient, reliable, does not have to be tangible
Data remanence
remaining data after erasure Format magnetic media 7 times (orange book)
Sam responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening a 9pm. and differential backups on other days of the week at that same time. File change accourding to the information shown in the difure below. How many files will be compied in Wednesday's backup?
5
Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gainsed new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?
Aggregation
Which one of the following events would constitute a security incident? 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.
All of the above 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.
Gina is a firwall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the IDS, which reported that faggle attack was underway. Whatre FW configuration change can Gina make to most effectively prevent this attack?
Block UDP port 7 and 9 traffic from entering the network. Fraggle attacks uses UDP port 7 and 9
The historic ping of death attack is most simliar to which of the following model attack types?
Buffer overflow
Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system's security settings. Where would he most likely find this information?
Change log
Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and a minimal a commitment of time as possible. What type of test should she choose?
Checklist review
Beth is selecting a disaster recovery facility for her organization. She would like to choose a fcility that has appropriate enviromnetal controls and power for her operations but wants to minmize costs. She is willing to accept a lengthy recovery time. What type of facility should she choose?
Cold site
Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court rules tht the search of the apartment that resulted in the police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence?
Competence, was not legally obtained correctly
Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?
Conduct forensic imaging of all systems
Which one of the following security tools consists of an unused network address space that may detect unauthorized activity?
Darknet
Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes?
Data encryption
Reggie recently received a letter from his company's interal auditors scheduling the kickoff meeting for an assessment of his group. Which of the following should Reggie not expect to learn during that meeting?
Expected findings
Referring to the figure below, what technology is shown that provides fault tolerance for the database servers?
Failover cluster
What legal protection prevents law enforcement agencies from searching a facility or electronic system without either probable cause or consent?
Fourth Amendment
Which one of the following controls protects an organization in the event of a sustainied period of power loss?
Generators
Gordon suspects that a hacker has penetrated a system belonging to his compay. The system doesn't contain any regulated information and Gordon wished to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?
Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belogning to the company
Which one of the following individuals is most likely to lead a regulatory investigation?
Government agent
Melanie suspects that someone is using malcious software to steal computing cycles from her company. Which one of the following security tools would be in teh best position to detect this type of incident?
HIDS (Host-based Intrusion Detection System)
Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the tyepe of cloud environment this organization uses?
Hybrid cloud
In virtualization platofrms, what name is given to the model that is responsible for controlling access to physical resources by virtual resources?
Hypervisor
In what virtualization model do full guest operating systems run on top of a virtualization platform?
Hypervisor
Which of the following would normally be considered an example of a disaster when performing diaster recovery planning? I. Hacking incident, II. Flood, III. Fire, IV. Terrorism
I, II, III, IV
Which of the following organizations would be likely to have a representative on CSIRT? I. Information security, II. Legal Counsel, III. Senior mgmt, IV. Engineering
I, III, IV
Which one the following secuirty tools is not capable of generating an active response to a security event?
IDS
Which one of the following frameworks focuses on IT service mgmt and includes topics such as change mgmt, config mgmt, and SLAs?
ITIL
Timber Indisturies recently go into a dispute with a customer. During a meeting with his account represetative, the customer stood up and declared, "There is no other solution. We will have to take this matter to court." He then left the room. When does Timber Industries have an obligation to begin preserving evidence?
Immediately begin preserving evidence
Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?
Logging into a workstation
In what type of attack do attackers manage to insert themselves into a connection between a user and a legitimate website?
Man-in-the-Middle (MITM)
Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that teh user attempted to erase the data, and Time is trying to reconstruct it. What type of forensic analysis is Tim performing?
Media analysis
Which one of the following is not an example of a backup tape rotation scheme?
Meet in the middle
During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?
Mitgation
Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearnce, but ther is no business justifcation for the access. Lydia denies this request. What security principle is she following?
Need to know
You are performing an investigation into a potential bot infection on your network an sish to perform a forensic analysis of the information that passed between different systems on your network and those on the Internet. You believe tht teh information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?
Netflow data
Jim would like to identify compromiesed systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command and control servers. Which one of the following techniques would be most likely provide this information if Jim has access to a list known servers?
Netflow records. Contains a record of every network communication session, compare to a list of known malicious hosts.
Joe is the security administrator fo an ERP system. He is preparing to create accounts for several new employees. What defualt access should he give to all of the new employees as he creates the accounts?
No access
What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running?
Parallel test
Roger recently accepted a new position as a security pforessional at a company that runs its entire IT frastructure wihin an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm?
Patching operating systems
Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allow him to gain root access to that server. What type of attack took place?
Privilege escalation
Which one of the following is not a canon of the ISC2 code of ethics?
Promptly report security vulnerabilites to relevant authorities
Which one of the following might a security team use on a honeypot system to consume an attacker's time while alerting administrators?
Pseudoflaw, false vulnerability in a system that may attract an attacker.
In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not the other's identity?
Public cloud
Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?
Public domain
What level of RAID is also known as disk mirroring?
RAID-1 = disk mirroring
Which one of the following technologies would provide the most automation of an inventory control process in a cost effective manner?
RFID
What type of evidence consists entirely of tangible items that may be brought into a court of law?
Real evidence (Documentary-written items may or may not be in tangible form, Testimonial-verbal given by witness with relevant testimony, Parol-agreement is put into written form, all terms of agreement
Which one of the following techniques is not commonly used to remove unwanted remnant data from magentic tapes?
Reformatting
During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy?
Reporting
Bruce is seeing quite a bit of suspicious activity on his network. It appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in?
SSH scanning
Mark is considering replacing his organization's customer relationship mgmt (CRM) solution with a new product that is available in the cloud. THe new solution is completely managed by the vendor and Mark's company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?
SaaS
Connor's company recently experienced a DoS attack that Connor believes came from an inside source. If true, what type of event has the company experienced?
Sabotage
Which one of the following techniques uses statistical methods to select a small number of records from a large pool for further analysis with the goal of choosing a set of records that is represetative of the entire pool?
Sampling, uses statistical techniques to choose a sample representative of the entire pool.
What technique can application developers use to test application in an ioslated virtualized environment before allowing themon a production network?
Sandboxing
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?
Security event, no reason to believe security compromise or policy violation occurred
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?
Security incident
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary designs the program, he uses the matrix shown below. What principle of information security does this matrix most directly help enforce?
Segregation of duties matrix, used to prevent a user from acculmating two permissions that would create a potential conflict
When designeing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assigne superuse privleges to an account. What information security principle is Hilda following?
Separation of duties
Which one fo the following types of agreements is the most formal document that ocntains expecations about availability and other performance parameters between a service provider and a customer?
Service Level Agreement (SLA)
Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?
Service pack
Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business?
Software Escrow agreements, places a copy of the source code for software to a 3rd party, who will turn code over to customer if business ops stops.
Jerome is conducting a forensic invetisgation and is reviewing databse server logs to invetisage query contesnt for evidence SQL injection attacks. What type of analysis is he performing?
Software analysis
Under what virtualization model does the vituralization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller?
Software-defined networking
Joe is an investigator with a law enforcment agency. He recived a tip that a suspect is communicating sensitive information with a 3rd party via a message board. After obtaining a warrant for the message, he obtained the contents and found that teh message only contanins the image show in the figure below. If this is the sole content of teh communication, what techniques could teh suspect have used to embed sensitive infomraiton in the message?
Steganography
Which of the following is not ture about the ISC2 code of ethics?
The code applies to all members of the information security profession
Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user doesn't use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?
Toni's computer is part of a botnet
Which one of the following traffic types should not be blocked by an organization's egress filtering policy?
Traffic with a destination address on a external network
Which of the following is an example of a manmade disaster?
Transformer failure
What type of trust relationship extends beyond the two domains participating in the trust to on or more of their subdomains?
Transitive trusts
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?
Two person control
Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?
Two person control
Which one of the following is an example of computer security incident?
Unauthorized vulnerability scan of a file server
What technique has been used to protec teh IP in the image shown below?
Watermarking