CISSP Domain 7: Security Operations

You are working to evaluate the risk of flood to an area and consult flood maps from FEMA. According to those maps, the area lies within a 200 year flood plain. What is the ARO of a flood in that region?

0.005

Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation?

1 week

When should an organization conduct a review of the privileged access that a user has to sensitive systems?

All of the above. When a user leaves the company, roles change, regular and recurring basis

Which one of the following tools helps systems administrators by providing a standard, secure template of configuration setting or operating systems and applications?

Baseline configuration

Which one of the following information sources is useful to security administrators seeking a list of information security vulnerabilities in applications, devices and operating systems?

CVE, dictionary with common security related issues

Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to creat an account for a new user and assign privileges to the HR database. What wo elements of infomration must Gary verify before granting this access?

Clearance and need to know

Allie is responsible for reviewing authentication logs on her organization's network. She doesn't have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool?

Clipping, uses threshold values to select records that exceed predefined values, most interest to analysts

Carolyn is concerned that users on her network may be storing sensitive information, such as SSN, on their hard drives without proper authorization or security controls. What technology can she use to best detect this activity?

DLP

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. Ann continues her investigation and realizes that the traffic generating the alert in abnormally high volumes of inbound UDP traffic on port 53. What service typicall uses this port?

DNS

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to quires that she doesn't see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect?

DoS attack

What term is used to describe the default set of privileges assigned to a user when a new account is created?

Entitlement, privileges granted to user when account is first created/provisioned

Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor request that Darcy give testimony in court about whether, in her opinon, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide?

Expert opinion

Which one of the following mechanisms is not commonly seen as a deterrent to fraud?

Incident response

Which one of the following tasks is performed by a forensic disk controller?

Intercepting and modifying or discarding commands sent to the storage device

During an incident investigation, investigators meet with a systme administrator who may have information about the incident but is not a suspect. What type of conversarion is take place during this meeting?

Interview

Richard is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are consitently taking too long to travel from source to their destination. What term describes the issue Richard is facing?

Latency

Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?

Least privilege

Javier is verifying that only IT systems administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?

Least privilege

Florian is buidling a disaster recovery plan for his organization and would like to determine the amount of time that particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?

MTD (Max Tolerable Downtime)

Which one of thef ollowing individuals poses the greatest risk to security in most well-defended organizations?

Malicious insider

Which one of the following trusted recovery types doesn't fail into a secure operating state?

Manual recovery, system doesn't fail into secure state but requires administrator to manually restore operations

Which one of the following events marks the completion of a DRP?

Restoring operations in the primary facility

What type of attack is show in the figure below

SYN Flood attack

Patch

An update/fix for an IT asset.

Full

All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming

Cold Site Advantage

Cost, ease of location choice. Nonexclusive. week

Smart Cards

Credential cards with one or more microchip processing that accepts or processes infomraiton and can be contact or contact less.

WARM SITE

Cross between hot and cold site. The computer facility is available but the applications may not be installed or need to be configured. External connections and other data elements that take long time to order are present. Workstations have to be delivered and data has to be restored.

Islamite and other Religious laws

Middle East, Africa, Indonesia and USA

Incident Response Lifecycle

Response Capability (policy, procedures, a team), Incident response and handling (Triage, investigation, containment, and analysis & tracking), Recovery (Recovery / Repair), Debriefing / Feedback (External Communications)

Remanence

The measure of the existing magnetic field on the media after degaussing

Indemnification

The party to party litigation costs resulting from its breach of warranties

Disadvantage of Cold Site

Very lengthy time of restoration, false sense of security but better than nothing.

RTO 12 days

warm site

Tumbler lock

cylinder slot

Warded lock

hanging lock with a key

Normal Operations Resume plan

has all procedures on how the company will return processing from the alternate site

Line supervision check

if no tampering is done with the alarm wires

Multiplexing Attacks:

replayed (video images)

If a user sends out a file containing restricted data, the DLP system

will detect it and prevent it from leaving the organization. The system will send an alert, such as an email to an administrator.

Legislative

writing laws (statutory laws)

Civil law

wrongs against individual or organization that result in a damage or loss. Punishment can include financial penalties. AKA tort law (I'll Sue You!) Jury decides liability

Which one of the following statements best describes a zero-day vulnerability?

An attack previously unknown to the security community

Dual Site Advantage

costs, multiple sites will share resources and support. Disadvantage of Dual Site a major disaster could affect both sites; multiple configurations have to be administered.

PROTOTYPING

customer view taken into account

Uniform Computer Information Transactions Act (UCITA)

is a federal law that provides a common framework for the conduct of computer-related business transactions.

RAID 7

is same as raid5, but all drives act as one single virtual disk

Espionage

is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization.

Identification

labeling, recording serial number etc.

Permissible

lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence

Central stations

less than 10mins travel time for e.g. an private security firm

Photoelectric

light beams interrupted (as in an store entrance)

Oral evidence

like Witness testimony

Fraud and Crime

like vandalism, looting and people grabbing the opportunity

Mitigation

limit the effect or scope of an incident

Database shadowing

live processing of remote journaling and creating duplicates of the database sets to multiple servers

proximity or capacitance detector

magnetic field detects presence around an object

First step by change process

management approval. NB: when a question is about processes, there must always be management's approval as First step.

Recovery team

mandated to implement recovery after the declaration of the disaster

The evidence must be competent

meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

MOM (Determine suspects)

means, opportunity and motive

Tabletop exercise

members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.

Acoustical detection

microphones, vibrations sensors

What is the minimum number of disks required to implement RAID level 1?

min 2 disk required for RAID 1

RTO 35 days

mobile site

HIDS Host-based IDS

monitors activity on a single computer, including process calls and information recorded in firewall logs.

NIDS Network-based IDS

monitors and evaluates network activity to detect attacks or event anomalies.

Simulation tests

more comprehensive and may impact one or more noncritical business units of the organization, all support personnel meet in a practice room

Fail Closed/secure

most conservative from a security perspective

Notebook

most preferred in the legal investigation is a bound notebook, pages are attached to a binding.

Evidence

must be preserved and identifiable

Passive device

no battery, uses power of the field

Controlled lightning

no bleeding over no blinding Standby Lightning timers

Oral

not best evidence though it may provide interpretation of documents, etc.

A copy Secondary Evidence

not permitted if the original, Best Evidence, is available -Copies of documents.

RAID 2

not used commercially. Hammering Code Parity/error

Cipher Lock

Electrical

Veronica is considering the implementation of a database recovery mechanism recommeded by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an offisite location each night. What type of database recovery technique is the consultant describing?

Electronic vaulting, automated DB backup approach, DB backups are moved from primary to remote server on scheduled daily basis.

Renee is a software developer who writes code in Node.js for her organization. The company is consdiering moving from a self hosted Node.js environment to one where Renee will run her code on application servers managed by a cloud vendor. What type of cloud solution is Renees's company considering?

PaaS

Auxiliary Station systems

on alarm ring out to local fire or police

RAID 0 Striped

one large disk out of several -Improved performance but no fault tolerance

Incremental

only modified files, archive bit cleared, Advantage: least time and space, Disadvantage first restore full then all incremental backups, thus less reliable because it depends on more components

Differential

only modified files, doesn't clear archive bit. Advantage: full and only last diff needed, Intermediate time between full and diff.

People

operators, management, technical support persons

Preset

ordinary door lock

Clearing

overwriting media to be reused

Proprietary systems

owned and operated by the customer. System provides many of the features in-house

Supplies and equipment

paper, forms HVAC Documenting the continuity strategy

Remote Journaling

parallel processing of transactions to an alternative site via communication lines

An IDS

part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.

Locard's Exchange Principle

perps leave something behind

Sufficient

persuasive enough to convince one of its validity

BCP committee

representatives from all department Senior staff (ultimate responsibility, due care/diligence) Various business units (identify and prioritize time critical systems) Information Systems Security Administrator People who will carry out the plan (execute)

Employee relations

responsibility towards employees and families

In other cases, forensic analysis may be asked to

review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

Desk Check

review plan contents

RAIT

robotic mechanisms to transfer tapes between storage and drive mechanisms

Network-based DLP

scans all outgoing data looking for specific data. Administrators would place DLPs on the edge of the negative to scan all data leaving the organization.

Hearsay

secondhand data not admissible in court

Tape

sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries

CI's Build list

set of versions of component

Slack space on a disk

should be inspected for hidden data and should be included in a disk image

Hypervisor

software component that manages the virtual components. The hypervisor adds an additional attack surface, so it's important to ensure it is deployed in a secure state and kept uptodate with patches, controls access to physical resources

Hearsay Evidence

something a witness hears another one say. Also business records are hearsay and all that's printed or displayed.

Failover

switches to hot backup.

Recovery procedures

system should restart in secure mode Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals

Data loss prevention

systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns.

Entrapment

the illegal act of inducing a crime, the individual had no intent of committing the crime at first

Enticement

the legal action of luring an intruder, like in a honeypot

Techniques used for media analysis

the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.

Confidentiality breaches

theft of sensitive information

Electronic vaulting

transfer of backup data to an offsite storage location via communication lines

Computer Crime Laws 3 types of harm

unauthorized intrusion, unauthorized alteration or destruction malicious code

Integrity breaches

unauthorized modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances

Dark-net

unused network space that may detect unauthorized activity

Object reuse

use after initial use

Facilities

use of main buildings or any remote facilities

Primary Evidence

used at the trial because it is the most reliable.

Original documents

used to document things such as contracts -NOTE: no copies!

Territorial Reinforcements

walls fences flags

Hackers and crackers

want to verify their skills as intruders

Emergency restart

when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments

System cold start

when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.

Fault-tolerant

continues to function despite failure

Executive

enforces laws (administrative laws)

Security Incident

event or series of events that adversely impact the ability of an organization to do business

Security intrusion

evidence attacker attempted or gained access

Disadvantage of Service Bureau

expense and it is more of a short time option.

Hot Site Disadvantage:

extra administrative overhead, costly, security controls needs to be installed at the remote facility too. Exclusive to one company hours to be up

Pseudo flaw

false vulnerability in a system that may attract an attacker

Disk

fast read/write, less robust than tape

RAID 1 Mirrored drives

fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed

Business Attacks

focus on illegally obtaining an organization's confidential information.

Target Hardening

focus on locks, cameras guards

Interviewing

gather facts and determine the substance of the case.

The terms of UCITA

give legal backing to the previously questionable practices of shrink-wrap licensing and clickwrap licensing by giving them status as legally binding contracts.

Salvage team

goes back to the primary site to normal processing environmental conditions. Clean, repair, Salvage. Can declare when primary site is available again

Server clustering

group of independent servers which are managed as a single system. All servers are online and take part in processing service requests.

Natural Access control

guidance of people by doors fences bollards lightning. Security zones defined natural surveillance, territorial reinforcements, target hardening

Administrative/Regulatory law

how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties

Fail Hard - BSOD

human to see why it failed

Bind variables

in SQL used to enhance performance of a database

IPS intrusion prevention system

includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions.

Criminal law

individuals that violate government laws. Punishment mostly imprisonment

Noise and perturbation

inserting bogus information to hope to mislead an attacker

Forensic Disk Controller

intercepting and modifying or discarding commands sent to the storage device

Parallel tests

involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also

Full-interruption tests

involve relocating personnel to the alternate site and shutting down operations at the primary site.

Data haven

is a country or location that has no laws or poorly enforced laws

Financial disbursement, Media relations

Find someone to run it

The main motivation behind these attacks is the "high" of successfully breaking into a system

Script kiddies

Which one of the following is not requirement for evidence to be admissible in court?

The evidence must be tangible

MTTF

(mean time to failure)

Civil law

Europe, South America

3 branches for laws:

Legislative, Executive, Judicial

Types of Law

Operational, Criminal, Civil, eDiscovery

Other data center backup alternatives

Rolling/mobile sites Mobile homes or HVAC trucks.

Fences

Small mesh and high gauge is most secure 3-4 feet deters casual trespasser

Egress filtering

The practice of monitoring and potentially restricting the flow of information outbound from one network to another

Photo id card:

dumb cards

Financial Attacks

carried out to unlawfully obtain money or services.

Oral Evidence

is a type of Secondary Evidence so the case can't simply stand on it alone

Testimony from a witness

one of their 5 senses

Security incident

suspected attack

CI's used to build a CI Software Library

controlled area only accessible for approved users

Sabotage

is a criminal act of destruction or disruption committed against an organization by an employee.

Forensic Disk Controller Steps

Write Blocking, intercepts write commands sent to the device and prevents them from modifying data on the device Return data requested by a read operation Returning access significant information from device Reporting errors from device to forensic host

Multiple centers

(aka dual sites) Processing is spread over several computer centers. Can be managed by same corporation (inhouse) or with another organization (reciprocal agreement).

Hacktivists

(combination of hacker and activist), often combine political motivations with the thrill of hacking.

accunicator system

(detects movements on screen and alerts guards)

Optical media

(e.g., CDs, DVDs, Bluray discs)

Memory

(e.g., RAM, solid state storage)

Magnetic media

(e.g., hard disks, tapes)

Recording

(for later review) = detective control

MTTR

(mean time to repair)

EVIDENCE LIFECYCLE

1. Discovery 2. Protection 3. Recording 4. Collection and identification 5. Analysis 6. Storage, preservation, transportation 7. Present in court 8. Return to owner

Common criteria hierarchical recovery types

1. Manual System administrator intervention is required to return the system to a secure state 2. Automatic Recovery to an secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures) 3. Automatic without Undo Loss Higher level of recovery defining prevention against the undue loss of protected objects 4. Function system can restore functional processes automatically

System recovery after a system crash

1. Rebooting system in single user mode or recovery console, so no user access is enabled 2. Recovering all file systems that were active during failure 3. Restoring missing or damaged files 4. Recovering the required security characteristic, such as file security labels 5. Checking security critical files such as system password file

Focus on business processes

1. Scope and plan initiation Consider amount of work required, resources required, management practice 2. BIA - helps to understand impact of disruptive processes 3. Business Continuity Plan development a. Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development) b. Testing 4. Plan approval and implementation Management approval Create awareness

Hot Site Advantage:

24/7 availability and exclusive use are assured. Short and long term.

Combination lock

3 digits with wheels

SQL -SUDIGR

6 basic SQL commands: Select, Update, Delete, Insert, Grant, Revoke

Honeyfarm

A centralized collection of honeypots and analysis tools

Infrared Linear Beam Sensors

A focused infrared (IR) light beam is projected from an emitter and bounced off of a reflector that is placed at the other side of the detection area

Configuration management (CM)

A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).

Change management

A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.

Security Informatn and Event Management (SIEM)

A group of technologies which aggregate information about access controls and selected system activity to store for analysis and correlation

Cipher Lock

A lock controlled by touch screen, typically 5 to 10 digits that when pushed in the right combination the lock will releases and allows entry

Mortise Lock

A lock or latch that is recessed into the edge of a door, rather than being mounted to its surface.

Rim Lock

A lock or latch typically mounted on the surface of a door, typically associated with a dead bolt type of lock

Intrusion detection system (IDS)

A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access.

Intrusion Prevention System (IPS)

A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access.

Data Leak Prevention (DLP)

A suite of technologies aimed at stemming the loss of sensitive information that occurs in the enterprise.

Intrusion Detection System (IDS)

A technology that alerts organizations to adverse or unwanted activity

Prefabricated buildings

A very cold site.

Power users

Accounts granted greater privileges than normal user accounts when it is necessary for the user to have greater control over the system, but where administrative access is not required

Administrator accounts

Accounts that are assigned only to named individuals that require administrative access to the system to perform maintenance activities, and should be different and separate from a user's normal account.

Service accounts

Accounts used to provide privileged access used by system services and core applications

Service interruption

An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim.(Common to do website defacements)

Sandboxing

An isolated test environment that simulates the production environment but will not affect production components/data.

Statistical Anomaly-based IDS

Analyzes event data by comparing it to typical, known, or predicted traffic profiles in an effort to find potential security breaches

Media

Any object that contains data.

Mutual aid agreements (aka reciprocal agreement)

Arrangement with another similar corporation to take over processes. Advantage: cheap. Disadvantage: must be exact the same, is there enough capability, only for short term and what if disaster affects both corporations. Is not enforceable.

Script kiddies

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them.

Failure preparation

Backup critical information thus enabling data recovery

Uninterruptible power supplies (UPS)

Batteries that provide temporary, immediate power during times when utility service is interrupted.

Five rules of evidence

Be authentic; evidence tied back to scene Be accurate; maintain authenticity and veracity Be complete; all evidence collected, for & against view Be convincing; clear & easy to understand for jury Be admissible; be able to be used in court

The use of the information gathered during the attack usually causes more damage than the attack itself.

Business Attacks (BA)

Optical drive

CD/DVD. Inexpensive

Facility site

CORE OF BUILDING (thus with 6 stores, on 3rd floor)

Direct Evidence

Can prove fact by itself and does not need any type of backup.

Magnetic Stripe (mag stripe) cards

Consist of a magnetically sensitive strip fused onto the surface of a PVC material, like a credit card

SERVICE BUREAU

Contract with a service bureau to fully provide alternate backup processing services.

Could be considered a cold site

In-house or external supply of hardware replacements. Stock of hardware either onsite or with a vendor. May be acceptable for warm site but not for hot site.

Live evidence

Data that are dynamic and exist in running processes or other volatile locations (e.g., system/device RAM) that disappear in a relatively short time once the system is powered down

Audit Trails

Date and time stamps Successful or not attempt Where the access was granted Who attempted access Who modified access privileges at supervisor level

Honeypot

Decoy servers or systems setup to gather information regarding an attacker or intruder into your system

Acoustic Sensors

Device that uses passive listening devices

Balanced Magnetic Switch (BMS)

Devices that use a magnetic field or mechanical contact to determine if an alarm signal is initiated

Steps for DRP

Documenting the Plan Activation and recovery procedures Plan management HR involvement Costs Required documentation Internal /external communications Detailed plans by team members

RAID 6

Dual Parity, parity distributed over all drives -requires all drives but two to be present to operate hot swappable

Business continuity Planning

Ensuring the business can continue in an emergency, 1st business organization analysis

Records and Information Management (RIM)

Essential activities to protect business information and can be established in compliance with laws, regulations, or corporate governance

Interrogation

Evidence retrieval method, ultimately obtain a confession

5Ways of processing a Root Cause Analysis

Failure Mode and Effects analysis Pareto Analysis Fault Tree Analysis Cause Mapping

Software Analysis

Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application.

Network Analysis

Forensic investigators are also often interested in the activity that took place over the network during a security incident.

HOT SITE - Internal/External

Fully configured computer facility. All applications are installed, up to date mirror of the production system. For extremely urgent critical transaction processing.

Tape Rotation Schemes

GF/Father/Son, Tower of Hanoi, Six Cartridge Weekly

RTO 5 minutes or hours

Hot site;

Incident Scene Management

ID the Scene Protect the environment ID evidence and potential sources of evidence Collect evidence - hash + Minimize the degree of contamination

Responsive areas illumination

IDS detects activities and turns on lightning NIST: for critical areas the area should be illuminated 8 feet in height with 2foot candle power

Traffic anomaly-based IDS

Identifies any unacceptable deviation from expected behavior based on actual traffic structure

Protocol Anomaly-Based IDS

Identifies any unacceptable deviation from expected behavior based on known network protocols

IPS

If desired, administrators can disable these extra features of an ______, essentially causing it to function as an IDS.

Other recovery issues

Interfacing with other groups: everyone outside the corporation

Judicial

Interprets laws (makes common laws out of court decisions)

Types of Network Forensic Analysis

Intrusion detection and prevention system logs Network flow data captured by a flow monitoring system Packet captures deliberately collected during an incident Logs from firewalls and other network security devices

Conclusive evidence

Irrefutable and cannot be contradicted, Requires no other corroboration

Potential for sabotage

It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.

COLD SITE

Least ready but most commonly used. Has no hardware installed only power and HVAC.

Advantage of Warm Site

Less costly, more choices of location, less administrative resources. Disadvantage of Warm Site it will take some time to start production processing. Nonexclusive. 12 hours to be up

FAIR INFORMATION PRACTICES

Openness Collection Limitation Purpose Specification Use Limitation Data Quality Individual Participation Security Safeguards Accountability

JBOD

MOST BASIC TYPE OF STORAGE

Honeypots/honeynets

Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy malicious or unauthorized intruders, as a means of delaying their attempts to access production data/assets. A number of machines of this kind, linked together as a network or subnet, are referred to as a "honeynet."

MTBF

Mean time between failures (Useful Life) = MTTF + MTTR

Redundant

Mirrored site, potential 0 down time

Secondary Evidence

Not as strong as best evidence.

emergency response backup operations and post disaster recovery

Plan for _______________________ maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation

Steps for Due Process

Prepare questions and topics, put witness at ease, summarize information -interview/interrogation plan Have one person as lead and 12 others involved as well never interrogate or interview alone

Need-to-know

Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization.

Aggregation

Privilege Creep, accumulate privileges

Instant Keys

Provide a quick way to disable a key by permitting one turn of the master key to change a lock

Automating much of the routine work of log review

Provide real‐time analysis of events occurring on systems throughout an organization but don't necessarily scan outgoing traffic.

Parity bits

RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives.

Striping

RAID technique; writing a data set across multiple drives.

Disaster Recover

Recover as quickly as possible Heavy IT focus Allows the execution of the BCP Needs Planning Needs Testing CRITICAL, URGENT, IMPORTANT

Opinion Rule

Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case.

End Goal for Disaster Recovery

Restore normal business operations.

RAID4

Same as Raid 3 but striped on block level; 3 or more drives

Time domain Reflectometry (TDR)

Send induced radio frequency (RF) signals down a cable that is attached to the fence fabric

Disaster Recovery Planning

Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information

Locard's exchange principle

States that when a crime is committed, the perpetrators leave something behind and take something with them, hence the exchange

RAID 5

Striped on block level, parity distributed over all drives - requires all drives but one to be present to operate hot swappable. Interleave parity, recovery control; 3 or more drives

RAID 3

Striped on byte level with extra parity drive -Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives

Corroborative Evidence

Supports or substantiates other evidence presented in a case

System reboot

System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources

Backup storage media

Tape, Disk, Optical Drive, Solid State

Criteria for Admissible Evidence

The evidence must be relevant to determining a fact. The fact that the evidence seeks to determine must be material (that is, related) to the case.

Separation of duties

The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats.

Job rotation

The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats.

Least privilege

The practice of only granting a user the minimal permissions necessary to perform their explicit job function.

Steganography

The science of hiding information

Chain of custody

The who, what, when, where, and how the evidence was handled—from its identification through its entire life cycle, which ends with destruction, permanent archiving, or returning ot owner.

Honeynet

Two or more honeypots on a network

Common law

USA, UK Australia Canada (judges)

Solid state

USB drive, security issues, protected by AES

Proximity Card (prox cards)

Use embedded antenna wires connected to a chip within the card through RF.

Expert Witnesses

Used to educate the jury, can be used as evidence

Circumstantial evidence

Used to help assume another fact, Cannot stand on its own to directly prove a fact

Wireless proximity cards

User activated System sensing

IDS intrusion detection system

automates the inspection of logs and realtime system events to detect intrusion attempts and system failures.

Data center should have:

Walls from floor to ceiling Floor: Concrete slab: 150 pounds square foot No windows in a datacenter Airconditioning should have own Emergency Power Off (EPO)

Six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:

When dealing with digital evidence, all of the general forensic and procedural principles must be applied. Upon seizing digital evidence, actions taken should not change that evidence. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

Grudge Attacks

attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person's reputation. The result of grudge attacks

Local alarms

audible alarm for at least 4000 feet far

One exception to business records

audit trails and business records are not considered hearsay when the documents are created in the normal course of business.

Hardware/ Embedded Device Analysis Forensic analysts often must review the contents of hardware and embedded devices. This may include

a review of Personal computers & Smartphones

Intrusion detection

a specific form of monitoring that monitors recorded information and realtime events to detect abnormal activity indicating a potential incident or intrusion.

Disaster

any event, natural or manmade, that can disrupt normal IT operations

Events

anything that happens. Can be documented verified and analyzed

Redundant servers

applies raid 1 mirroring concept to servers. On error servers can do a failover. This AKA server fault tolerance

IDSs

are an effective method of detecting many DoS and DDoS attacks.

Bind variables

are placeholders for literal values in SQL query being sent to the database on a server

Thrill attacks

are the attacks launched only for the fun of it. Pride, bragging rights

Countermeasures against espionage

are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

Building

assembling a version of a CI using component

Field Powered device

active electronics, transmitter but gets power from the surrounding field from the reader

Glare protection

against blinding by lights Continuous lightning evenly distributed lightning

Power supplies

alarm systems needs separate circuitry and backup power

Multiplexer

allows multiple camera screens shown over one cable on a monitor Via coax cables (hence closed)

Exigent circumstances

allows officials to seize evidence before its destroyed (police team fall in)

An intrusion

an attacker is able to bypass or thwart security mechanisms and gain access to an organization's resources.

Configuration item (CI)

component whose state is recorded Version: recorded state of the CI

The disaster is not over until all operations have

been returned to their normal location and function (data verified at primary site as accurate)

Device lock

bolt down hardware

Transponders

both card and receiver holds power, transmitter and electronics Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems.

Media analysis

branch of computer forensic analysis, involves the identification and extraction of information from storage media.

In some cases, when malicious insiders are suspected, the forensic analyst may be asked to

conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities.

Reliable

consistent with fact, evidence has not been tampered with or modified

Uniform Computer Information Transactions Act

contains provisions that address software licensing.

Natural surveillance

cameras and guards

Attackers (espionage)

can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization.

A single NIDS

can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

HIDS

can often examine events in more detail than an NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker.

Intrusion Detection Systems

can recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once an IDS detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack.

Endpoint-based DLP

can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.

NIDS

cannot monitor the content of encrypted traffic but can monitor other packet details.

Raking

circumvent a pin tumbler lock

Individual computing devices on a cluster vs. a grid system

cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem

RTO 1 tgt 2 weeks

cold site

The task of the network forensic analyst

collect and correlate information from these disparate sources and produce as comprehensive a picture of network activity as possible.

Configuration

collection of component CI's that make another CI

Chain of custody

collection, analysis and preservation of data Forensics uses bit-level copy of the disk

Preserved and identifiable

collection, reconstruction

Programmable

combination or electrical lock

Destruction

complete destroy preferably by burning

When investigating a hard drive

don't use message digest because it will change the timestamps of the files when the filesystem is not set to ReadOnly

FAIL SECURE

doors LOCK

FAIL SAFE

doors UNLOCK

CCTV

enables you to compare the audit trails and access logs with a visual recording

Direct Evidence

does not need other evidence to substantiate

3 states of information

data at rest (storage) data in transit (the network) data being processed (must be decrypted) / in use / endpoint

Purging

degaussing or overwriting to be removed

Network forensic analysis

depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log network activity.

Military or intelligence attack

designed to extract classified or sensitive information.

Electromechanical

detect a break or change in a circuit magnets pulled lose, wires door, pressure pads

A benefit of HIDSs over NIDSs is that HIDSs can

detect anomalies on the host system that NIDSs cannot detect.

Passive infrared

detects changes in temperature

wave pattern motion detectors

detects motions

Attackers often commit espionage with the intent of

disclosing or selling the information to a competitor or other interested organization (such as a foreign government).

Fail safe system

program execution is terminated and system protected from compromise when hardware or software failure occurs DOORS usually

Electronic Access Control (EAC) proximity readers

programmable locks or biometric systems

A primary goal of an IDS

provide a means for a timely and accurate response to intrusions.

Third party, commercial services

provide alternate backups and processing facilities. Most common of implementations!

DRP Goal

provide organized way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster (BIA has already been done, now were going to protect!)

Federal Sentencing Guidelines

provides judges and courts procedures on the prevention, detection and reporting

Terrorist Attacks

purpose of a terrorist attack is to disrupt normal life and instill fear

Advantage of Service Bureau

quick response and availability, testing is possible.

Fail soft or resilient system

reboot, selected, noncritical processing is terminated when failure occurs

RTO:

recovery time objectives. Refers to business processes not hardware.

Entitlement

refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges

Relevant

relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts

Admissible evidence

relevant, sufficient, reliable, does not have to be tangible

Data remanence

remaining data after erasure Format magnetic media 7 times (orange book)

Sam responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening a 9pm. and differential backups on other days of the week at that same time. File change accourding to the information shown in the difure below. How many files will be compied in Wednesday's backup?

5

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gainsed new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?

Aggregation

Which one of the following events would constitute a security incident? 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.

All of the above 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.

Gina is a firwall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the IDS, which reported that faggle attack was underway. Whatre FW configuration change can Gina make to most effectively prevent this attack?

Block UDP port 7 and 9 traffic from entering the network. Fraggle attacks uses UDP port 7 and 9

The historic ping of death attack is most simliar to which of the following model attack types?

Buffer overflow

Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system's security settings. Where would he most likely find this information?

Change log

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and a minimal a commitment of time as possible. What type of test should she choose?

Checklist review

Beth is selecting a disaster recovery facility for her organization. She would like to choose a fcility that has appropriate enviromnetal controls and power for her operations but wants to minmize costs. She is willing to accept a lengthy recovery time. What type of facility should she choose?

Cold site

Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court rules tht the search of the apartment that resulted in the police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence?

Competence, was not legally obtained correctly

Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?

Conduct forensic imaging of all systems

Which one of the following security tools consists of an unused network address space that may detect unauthorized activity?

Darknet

Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes?

Data encryption

Reggie recently received a letter from his company's interal auditors scheduling the kickoff meeting for an assessment of his group. Which of the following should Reggie not expect to learn during that meeting?

Expected findings

Referring to the figure below, what technology is shown that provides fault tolerance for the database servers?

Failover cluster

What legal protection prevents law enforcement agencies from searching a facility or electronic system without either probable cause or consent?

Fourth Amendment

Which one of the following controls protects an organization in the event of a sustainied period of power loss?

Generators

Gordon suspects that a hacker has penetrated a system belonging to his compay. The system doesn't contain any regulated information and Gordon wished to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?

Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belogning to the company

Which one of the following individuals is most likely to lead a regulatory investigation?

Government agent

Melanie suspects that someone is using malcious software to steal computing cycles from her company. Which one of the following security tools would be in teh best position to detect this type of incident?

HIDS (Host-based Intrusion Detection System)

Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the tyepe of cloud environment this organization uses?

Hybrid cloud

In virtualization platofrms, what name is given to the model that is responsible for controlling access to physical resources by virtual resources?

Hypervisor

In what virtualization model do full guest operating systems run on top of a virtualization platform?

Hypervisor

Which of the following would normally be considered an example of a disaster when performing diaster recovery planning? I. Hacking incident, II. Flood, III. Fire, IV. Terrorism

I, II, III, IV

Which of the following organizations would be likely to have a representative on CSIRT? I. Information security, II. Legal Counsel, III. Senior mgmt, IV. Engineering

I, III, IV

Which one the following secuirty tools is not capable of generating an active response to a security event?

IDS

Which one of the following frameworks focuses on IT service mgmt and includes topics such as change mgmt, config mgmt, and SLAs?

ITIL

Timber Indisturies recently go into a dispute with a customer. During a meeting with his account represetative, the customer stood up and declared, "There is no other solution. We will have to take this matter to court." He then left the room. When does Timber Industries have an obligation to begin preserving evidence?

Immediately begin preserving evidence

Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?

Logging into a workstation

In what type of attack do attackers manage to insert themselves into a connection between a user and a legitimate website?

Man-in-the-Middle (MITM)

Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that teh user attempted to erase the data, and Time is trying to reconstruct it. What type of forensic analysis is Tim performing?

Media analysis

Which one of the following is not an example of a backup tape rotation scheme?

Meet in the middle

During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?

Mitgation

Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearnce, but ther is no business justifcation for the access. Lydia denies this request. What security principle is she following?

Need to know

You are performing an investigation into a potential bot infection on your network an sish to perform a forensic analysis of the information that passed between different systems on your network and those on the Internet. You believe tht teh information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?

Netflow data

Jim would like to identify compromiesed systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command and control servers. Which one of the following techniques would be most likely provide this information if Jim has access to a list known servers?

Netflow records. Contains a record of every network communication session, compare to a list of known malicious hosts.

Joe is the security administrator fo an ERP system. He is preparing to create accounts for several new employees. What defualt access should he give to all of the new employees as he creates the accounts?

No access

What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running?

Parallel test

Roger recently accepted a new position as a security pforessional at a company that runs its entire IT frastructure wihin an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm?

Patching operating systems

Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allow him to gain root access to that server. What type of attack took place?

Privilege escalation

Which one of the following is not a canon of the ISC2 code of ethics?

Promptly report security vulnerabilites to relevant authorities

Which one of the following might a security team use on a honeypot system to consume an attacker's time while alerting administrators?

Pseudoflaw, false vulnerability in a system that may attract an attacker.

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not the other's identity?

Public cloud

Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?

Public domain

What level of RAID is also known as disk mirroring?

RAID-1 = disk mirroring

Which one of the following technologies would provide the most automation of an inventory control process in a cost effective manner?

RFID

What type of evidence consists entirely of tangible items that may be brought into a court of law?

Real evidence (Documentary-written items may or may not be in tangible form, Testimonial-verbal given by witness with relevant testimony, Parol-agreement is put into written form, all terms of agreement

Which one of the following techniques is not commonly used to remove unwanted remnant data from magentic tapes?

Reformatting

During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy?

Reporting

Bruce is seeing quite a bit of suspicious activity on his network. It appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in?

SSH scanning

Mark is considering replacing his organization's customer relationship mgmt (CRM) solution with a new product that is available in the cloud. THe new solution is completely managed by the vendor and Mark's company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?

SaaS

Connor's company recently experienced a DoS attack that Connor believes came from an inside source. If true, what type of event has the company experienced?

Sabotage

Which one of the following techniques uses statistical methods to select a small number of records from a large pool for further analysis with the goal of choosing a set of records that is represetative of the entire pool?

Sampling, uses statistical techniques to choose a sample representative of the entire pool.

What technique can application developers use to test application in an ioslated virtualized environment before allowing themon a production network?

Sandboxing

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?

Security event, no reason to believe security compromise or policy violation occurred

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?

Security incident

Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary designs the program, he uses the matrix shown below. What principle of information security does this matrix most directly help enforce?

Segregation of duties matrix, used to prevent a user from acculmating two permissions that would create a potential conflict

When designeing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assigne superuse privleges to an account. What information security principle is Hilda following?

Separation of duties

Which one fo the following types of agreements is the most formal document that ocntains expecations about availability and other performance parameters between a service provider and a customer?

Service Level Agreement (SLA)

Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?

Service pack

Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business?

Software Escrow agreements, places a copy of the source code for software to a 3rd party, who will turn code over to customer if business ops stops.

Jerome is conducting a forensic invetisgation and is reviewing databse server logs to invetisage query contesnt for evidence SQL injection attacks. What type of analysis is he performing?

Software analysis

Under what virtualization model does the vituralization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller?

Software-defined networking

Joe is an investigator with a law enforcment agency. He recived a tip that a suspect is communicating sensitive information with a 3rd party via a message board. After obtaining a warrant for the message, he obtained the contents and found that teh message only contanins the image show in the figure below. If this is the sole content of teh communication, what techniques could teh suspect have used to embed sensitive infomraiton in the message?

Steganography

Which of the following is not ture about the ISC2 code of ethics?

The code applies to all members of the information security profession

Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user doesn't use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?

Toni's computer is part of a botnet

Which one of the following traffic types should not be blocked by an organization's egress filtering policy?

Traffic with a destination address on a external network

Which of the following is an example of a manmade disaster?

Transformer failure

What type of trust relationship extends beyond the two domains participating in the trust to on or more of their subdomains?

Transitive trusts

Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?

Two person control

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?

Two person control

Which one of the following is an example of computer security incident?

Unauthorized vulnerability scan of a file server

What technique has been used to protec teh IP in the image shown below?

Watermarking