CISSP Domain 7 Security Operations
What is DLP?
Data Loss Prevention (DLP) systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns.
What are the pros and cons of a network-based IDS?
It can monitor a large network and can be hardened against attack. It may be unable to handle large data flows, requires a central view of traffic, and can't pinpoint compromised resources.
What are the pros and cons of a host-based IDS?
It can pinpoint resources compromised by a malicious user. It can't detect network-only attacks or attacks on other systems, has difficulty detecting DoS attacks, and can be detected by intruders.
How does the teardrop attack operate?
It sends overlapping packet fragments to the victim machine.
What term describes damage resulting from arson, human error, acts of terrorism, or power outages and other utility failures?
Man-made disaster
What policy requires users to spend at least a week away from their jobs on an annual basis to help prevent fraud?
Mandatory vacations
What are the branches of forensic analysis?
Media analysis, network analysis, software analysis, and hardware/embedded device analysis
How might you describe a site housed in self-contained transportable units with all the control, hardware, and software elements necessary to establish an operational, safe computing environment?
Mobile site
What type of recovery site is particularly suited to workgroup recovery options?
Mobile site
Which alternate processing arrangement is rarely implemented?
Mutual Assistance Agreements (MAA)
What term describes damage from disruptive and irresistible forces of nature (such as earthquakes, floods, storms, and so on)?
Natural disaster
What determines how often an audit should be performed?
Risk
What type of attack leverages part of the TCP three-way handshake?
SYN flood attack
What is the proper name for a criminal act committed against an organization by a current or former employee who exploits knowledge gained on the job in its perpetration?
Sabotage
In relation to auditing and monitoring, what is sampling?
Sampling, or data extraction, is the process of extracting specific elements from a large collection of data to construct a meaningful representation or summary of the whole. In other words, sampling is a form of data reduction that allows someone to glean valuable information by looking at only a small sample of data in an audit trail.
What is sandboxing?
Sandboxing provides a security boundary for applications and prevents the application from interacting with other applications. Anti-malware applications use sandboxing techniques to test unknown applications. If the application displays suspicious characteristics, the sandboxing technique prevents the application from infecting other applications or the operating system.
What are scanning attacks?
Scanning attacks are reconnaissance attacks that usually precede another, more serious attack.
Many organizations use a centralized application to automate monitoring of systems on a network. Name three terms that refer to these types of systems.
Security Information and Event Management (SIEM), Security Event Management (SEM), and Security Information Management (SIM)
What is segregation of duties?
Segregation of duties is similar to a separation of duties and responsibilities policy, but it also combines the principle of least privilege. The goal is to ensure that individuals do not have excessive system access that may result in a conflict of interest.
What is the best protection against a computer joining a botnet?
Up-to-date antivirus software
True or false? In most circumstances, it is illegal for an employer to monitor an employee's email.
FALSE
What does a business attack focus on?
A business attack focuses on illegally obtaining an organization's confidential information. This could be information that is critical to the operation of the organization, such as a secret recipe, or information that could damage the organization's reputation if disclosed, such as personal information about its employees.
What does a civil investigation focus on?
A civil investigation typically does not involve law enforcement but rather involves internal employees and outside consultants working on behalf of a legal team. It prepares the evidence necessary to present a case in civil court resolving a dispute between two parties.
What does a criminal investigation focus on?
A criminal investigation, typically conducted by law enforcement personnel, investigates the alleged violation of criminal law. A criminal investigation may result in charging suspects with a crime and the prosecution of those charges in criminal court.
What is DDoS?
A distributed denial of service (DDoS) attack occurs when multiple systems attack a single system at the same time.
What is DRDoS?
A distributed reflective denial of service (DRDoS) attack is a variant of a DoS. It uses a reflected approach to an attack.In other words, it doesn't attack the victim directly but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources.
Define a fail-open system.
A fail-open system will fail in an open state, granting all access.
Define a fail-secure system.
A fail-secure system will default to a secure state in the event of a failure, blocking all access.
What is a failover cluster?
A failover cluster includes two or more servers, and if one of the servers fails, another server in the cluster can take over its load in an automatic process called failover. Failover clusters can include multiple servers (not just two), and they can also provide fault tolerance for multiple services or applications.
What is a honeypot or a honeynet?
A honeypot is an individual computer created as a trap for intruders. A honeynet is two or more networked honeypots used together to simulate a network. They look and act like legitimate systems, but they do not host data of any real value for an attacker.
What does an operational investigation focus on?
An operational investigation examines issues related to the organization's computing infrastructure and has the primary goal of resolving operational issues
Name two common types of DLP.
A network-based DLP scans all outgoing data looking for specific data. An endpoint-based DLP can scan files stored on a system and files sent to external devices.
What is a padded cell?
A padded cell system is similar to a honeypot, but it performs intrusion isolation using a different approach. When an IDS detects an intruder, that intruder is automatically transferred to a padded cell.
What is a pseudo flaw?
A pseudo flaw is a false vulnerability or apparent loophole intentionally implanted In a system in an attempt to tempt attackers. They are often used on honeypot systems to emulate well-known operating system vulnerabilities.
What feature of insurance can improve your ability to replace lost or damaged assets?
Actual Cost Value (ACV)
What are the functions of an intrusion detection system (IDS)?
An IDS automates the inspection of audit logs and real-time system events, detects intrusion attempts, and watches for violations of confidentiality, integrity, and availability.
What should be done to verify patches have been applied?
Audit patches, or use a vulnerability scanner to verify patches have been applied
When a disaster strikes but your ability to perform work tasks is only threatened, not actually interrupted, what response should be used?
BCP
What is the leading reason many incidents are not reported?
Because they are not recognized as incidents
What form of testing examines the input and output of a program without access to the internal logical structures?
Black-box testing
Which type of computer crime attacks an organization's computer system to extract confidential information?
Business attack
If a witness is not able to uniquely identify an object, how else may it be authenticated in court?
By establishing a chain of evidence
What is the most common document type used for emergency response plans?
Checklists
What is a nonstatistical sampling method that only records or alerts on events that exceed a threshold?
Clipping levels
What technology can be used to minimize the impact of a server failure immediately before the next backup was scheduled?
Clustering servers adds a degree of fault tolerance, protecting against the impact of a single server failure.
What label applies to a partial standby facility for which power and other infrastructure elements are available, but for which no operational computing facilities are supplied in advance of a disaster?
Cold site
An attack has a negative effect on the confidentiality, integrity, or availability of an organization's assets. What is this called?
Computer security incident
When an intrusion is detected, what should be the first response?
Contain or constrain the intrusion.
What are the five steps in incident response quoted in the CISSP CIB?
Detection, Response, Reporting, Recovery, Remediation and Review
Which backup format stores only those files that have been set with the archive bit and have been modified since the last complete backup?
Differential backup
What does DRP stand for, and what does it mean?
Disaster recovery planning (DRP) is the practice of establishing and executing recovery actions as part of an emergency response following a disaster.
What is it called when malware is installed on a user's system after visiting a website?
Drive-by download
Name some common natural disasters.
Earthquakes, floods, storms, tornadoes, and fires
What three generic elements can help prevent malware infections?
Education, policies, and tools
What is egress monitoring?
Egress monitoring refers to monitoring outgoing traffic to prevent data exfiltration, which is the unauthorized transfer of data. Some common methods used to prevent data exfiltration are data loss prevention techniques, looking for steganography attempts, and watermarking.
What is electronic vaulting?
Electronic vaulting uses bulk transfers to copy database contents to a remote site on a periodic basis.
What is the proper name for the illegal intent behind obtaining and profiting from sensitive information that belongs to some third party (government, corporation, individual, and so on)?
Espionage
What are the steps of a patch management program?
Evaluate, test, apply, audit patches
What organization sponsors the National Flood Insurance Program and is a good source of historical flood information?
Federal Emergency Management Agency (FEMA)
What are financial attacks?
Financial attacks are carried out to unlawfully obtain money or services. They are the type of computer crime you most commonly hear about in the news. The goal of a financial attack could be to steal credit card numbers, increase the balance in a bank account, or place free long-distance telephone calls.
What disaster recovery system is often highly dependent on the public water supply?
Fire suppression system
Once an intrusion has occurred, what is the most secure process for restoring the environment?
Format and reinstall from scratch.
What are the three major types of filesystem backups?
Full backups, incremental backups, and differential backups
What form of testing examines the input and output of a program with access to the internal logical structures?
Gray-box testing
What are grudge attacks?
Grudge attacks are attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person's reputation.
What is the most common cause of unplanned downtime?
Hardware failures
What is a honeynet, and what is it used for?
Honeynets are fake networks used to lure intruders in order to create sufficient audit trails for tracking them down and prosecuting. Honeynets contain no real or sensitive data.
What form of IDS is easier for an intruder to discover and disable?
Host-based IDS
What label applies to a standby facility that is ready to take over for a primary facility as soon as notice is received that the primary facility has gone down?
Hot site
What are the three major options for alternative processing sites?
Hot sites, warm sites, and cold sites
What are some examples of alternate processing facilities that should be considered when designing a DRP?
Hot, warm, and cold sites; mobile sites; service bureaus; multiple sites; and reciprocal agreements
What is electronic discovery?
In legal proceedings, each side has a duty to preserve evidence related to the case and, through the discovery process, share information with their adversary in the proceedings. This discovery process applies to both paper records and electronic records, and the electronic discovery (or eDiscovery) process facilitates the processing of electronic information for disclosure.
What are the differences between knowledge-based and behavior-based detection methods used by IDS?
Knowledge-based uses a signature database and tries to match monitored events to that database. Behavior-based learns about the normal activities on your system through watching and learning.
While containing an incident, what is the next important consideration?
Protection of evidence
What use is QoS?
Quality of Service (QoS) controls protect the integrity of data networks under load. Many different factors contribute to the quality of the end user experience, and QoS attempts to manage all of those factors to create an experience that meets business requirements.
What is an APT?
Recent years marked the rise of sophisticated attackers known as advanced persistent threats (APTs). These attackers are well funded and have advanced technical skills and resources. They act on behalf of a nation-state, organized crime, terrorist group, or other sponsor and wage highly effective attacks against a very focused target in order to maintain persistent unauthorized access or effect.
What types of activities are labeled as auditing?
Recording of event/ occurrence data, examination of data, data reduction, use of event/ occurrence alarm triggers, log analysis, logging, monitoring, using alerts, intrusion detection
What procedure returns business operations and processes to a working state?
Recovery
What kind of strategy drives defining practices, policies, and procedures to restore a business to normal operation in the wake of some kind of outage or disaster?
Recovery strategy
In which stage of incident response should a root cause analysis be conducted?
Remediation and Review
What is steganography?
Steganography is the practice of embedding a message within a file.
What is system resilience?
System resilience refers to the ability of a system to maintain an acceptable level of service during an adverse event. This could be a hardware fault managed by fault-tolerant components, or it could be an attack managed by other controls such as effective intrusion detection and prevention systems.
True or false? Organizations participating in a mutual assistance agreement are typically located in the same geographic region.
TRUE
Which type of computer crime would likely be timed to occur simultaneously with a physical attack to reduce the ability to effectively respond to the physical attack?
Terrorist attack
What are terrorist attacks?
Terrorist attacks are a reality in modern society. Our increasing reliance on information systems makes them more and more attractive to terrorists. Such attacks differ from military and intelligence attacks. The purpose of a terrorist attack is to disrupt normal life and instill fear, whereas a military or intelligence attack is designed to extract secret information.
What is industrial espionage?
The gathering of a competitor's confidential information, also called industrial espionage, is not a new phenomenon. Businesses have used illegal means to acquire competitive information for many years. The temptation to steal a competitor's trade secrets and the ease with which a savvy attacker can compromise some computer systems makes this type of attack attractive.
If an incident has occurred that has violated no laws or regulations, how do you determine whether to report it?
The incident reporting guidelines should be in your security policy.
What are thrill attacks?
Thrill attacks are the attacks launched only for the fun of it.
What is the purpose of auditing?
To ensure compliance with security policy and to detect abnormalities, unauthorized occurrences, or outright crimes
How are audit trails used?
To reconstruct an event, to extract information about an incident, to prove or disprove culpability
What is versioning?
Versioning typically refers to version control used in software configuration management. A labeling or numbering system differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine.
What is CVE?
Vulnerabilities are commonly referred to using the Common Vulnerability and Exposures (CVE) dictionary. The CVE dictionary provides a standard convention used to identify vulnerabilities. MITRE maintains the CVE database.
What would be completed to check an entire organization for weaknesses?
Vulnerability assessment
What tool can check for weaknesses in systems?
Vulnerability scanner
What can be used to verify patches have been applied?
Vulnerability scanner or a patch management system
What is war dialing?
War dialing means using a modem to search for a system that accepts inbound connection attempts.
What is watermarking?
Watermarking is the practice of embedding an image or pattern in paper that isn't readily perceivable. It is often used with currency to thwart counterfeiting attempts. Similarly, organizations often use watermarking in digital documents and other types of files.
What type of disaster recovery separates recovery sites by business teams?
Workgroup recovery
An attacker has launched an attack using a vulnerability known only to him. What is this called?
Zero-day exploit
What are computers in a botnet commonly called?
Zombies