CISSP Domain 7: Security Operations

Ace your homework & exams now with Quizwiz!

A suite of technologies aimed at stemming the loss of sensitive information that occurs in the enterprise.

Data Leak Prevention (DLP)

Walls from floor to ceiling Floor: Concrete slab: 150 pounds square foot No windows in a datacenter Airconditioning should have own Emergency Power Off (EPO)

Data center should have:

Provide real‐time analysis of events occurring on systems throughout an organization but don't necessarily scan outgoing traffic.

Automating much of the routine work of log review

on alarm ring out to local fire or police

Auxiliary Station systems

is a country or location that has no laws or poorly enforced laws

Data haven

systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns.

Data loss prevention

remaining data after erasure Format magnetic media 7 times (orange book)

Data remanence

live processing of remote journaling and creating duplicates of the database sets to multiple servers

Database shadowing

review plan contents

Desk Check

Checklist review

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and a minimal a commitment of time as possible. What type of test should she choose?

MOST BASIC TYPE OF STORAGE

JBOD

Least privilege

Javier is verifying that only IT systems administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?

Software analysis

Jerome is conducting a forensic invetisgation and is reviewing databse server logs to invetisage query contesnt for evidence SQL injection attacks. What type of analysis is he performing?

(mean time to failure)

MTTF

(mean time to repair)

MTTR

Consist of a magnetically sensitive strip fused onto the surface of a PVC material, like a credit card

Magnetic Stripe (mag stripe) cards

(e.g., hard disks, tapes)

Magnetic media

SaaS

Mark is considering replacing his organization's customer relationship mgmt (CRM) solution with a new product that is available in the cloud. THe new solution is completely managed by the vendor and Mark's company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?

Any object that contains data.

Media

branch of computer forensic analysis, involves the identification and extraction of information from storage media.

Media analysis

HIDS (Host-based Intrusion Detection System)

Melanie suspects that someone is using malcious software to steal computing cycles from her company. Which one of the following security tools would be in teh best position to detect this type of incident?

(e.g., RAM, solid state storage)

Memory

designed to extract classified or sensitive information.

Military or intelligence attack

limit the effect or scope of an incident

Mitigation

A lock or latch that is recessed into the edge of a door, rather than being mounted to its surface.

Mortise Lock

(aka dual sites) Processing is spread over several computer centers. Can be managed by same corporation (inhouse) or with another organization (reciprocal agreement).

Multiple centers

allows multiple camera screens shown over one cable on a monitor Via coax cables (hence closed)

Multiplexer

replayed (video images)

Multiplexing Attacks:

Arrangement with another similar corporation to take over processes. Advantage: cheap. Disadvantage: must be exact the same, is there enough capability, only for short term and what if disaster affects both corporations. Is not enforceable.

Mutual aid agreements (aka reciprocal agreement)

cannot monitor the content of encrypted traffic but can monitor other packet details.

NIDS

monitors and evaluates network activity to detect attacks or event anomalies.

NIDS Network-based IDS

guidance of people by doors fences bollards lightning. Security zones defined natural surveillance, territorial reinforcements, target hardening

Natural Access control

cameras and guards

Natural surveillance

Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization.

Need-to-know

Forensic investigators are also often interested in the activity that took place over the network during a security incident.

Network Analysis

depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log network activity.

Network forensic analysis

scans all outgoing data looking for specific data. Administrators would place DLPs on the edge of the negative to scan all data leaving the organization.

Network-based DLP

Striped on block level, parity distributed over all drives - requires all drives but one to be present to operate hot swappable. Interleave parity, recovery control; 3 or more drives

RAID 5

Dual Parity, parity distributed over all drives -requires all drives but two to be present to operate hot swappable

RAID 6

is same as raid5, but all drives act as one single virtual disk

RAID 7

Same as Raid 3 but striped on block level; 3 or more drives

RAID4

robotic mechanisms to transfer tapes between storage and drive mechanisms

RAIT

cold site

RTO 1 tgt 2 weeks

warm site

RTO 12 days

mobile site

RTO 35 days

Hot site;

RTO 5 minutes or hours

recovery time objectives. Refers to business processes not hardware.

RTO:

circumvent a pin tumbler lock

Raking

IDS detects activities and turns on lightning NIST: for critical areas the area should be illuminated 8 feet in height with 2foot candle power

Responsive areas illumination

Latency

Richard is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are consitently taking too long to travel from source to their destination. What term describes the issue Richard is facing?

A lock or latch typically mounted on the surface of a door, typically associated with a dead bolt type of lock

Rim Lock

Patching operating systems

Roger recently accepted a new position as a security pforessional at a company that runs its entire IT frastructure wihin an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm?

Contract with a service bureau to fully provide alternate backup processing services.

SERVICE BUREAU

6 basic SQL commands: Select, Update, Delete, Insert, Grant, Revoke

SQL -SUDIGR

is a criminal act of destruction or disruption committed against an organization by an employee.

Sabotage

goes back to the primary site to normal processing environmental conditions. Clean, repair, Salvage. Can declare when primary site is available again

Salvage team

5

Sam responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening a 9pm. and differential backups on other days of the week at that same time. File change accourding to the information shown in the difure below. How many files will be compied in Wednesday's backup?

An isolated test environment that simulates the production environment but will not affect production components/data.

Sandboxing

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them.

Script kiddies

Not as strong as best evidence.

Secondary Evidence

event or series of events that adversely impact the ability of an organization to do business

Security Incident

A group of technologies which aggregate information about access controls and selected system activity to store for analysis and correlation

Security Informatn and Event Management (SIEM)

suspected attack

Security incident

evidence attacker attempted or gained access

Security intrusion

The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats.

Separation of duties

group of independent servers which are managed as a single system. All servers are online and take part in processing service requests.

Server clustering

Accounts used to provide privileged access used by system services and core applications

Service accounts

An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim.(Common to do website defacements)

Service interruption

more comprehensive and may impact one or more noncritical business units of the organization, all support personnel meet in a practice room

Simulation tests

When dealing with digital evidence, all of the general forensic and procedural principles must be applied. Upon seizing digital evidence, actions taken should not change that evidence. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

Six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:

should be inspected for hidden data and should be included in a disk image

Slack space on a disk

Credential cards with one or more microchip processing that accepts or processes infomraiton and can be contact or contact less.

Smart Cards

Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application.

Software Analysis

USB drive, security issues, protected by AES

Solid state

Analyzes event data by comparing it to typical, known, or predicted traffic profiles in an effort to find potential security breaches

Statistical Anomaly-based IDS

both card and receiver holds power, transmitter and electronics Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems.

Transponders

cylinder slot

Tumbler lock

Operational, Criminal, Civil, eDiscovery

Types of Law

Intrusion detection and prevention system logs Network flow data captured by a flow monitoring system Packet captures deliberately collected during an incident Logs from firewalls and other network security devices

Types of Network Forensic Analysis

Public domain

Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?

Software-defined networking

Under what virtualization model does the vituralization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller?

contains provisions that address software licensing.

Uniform Computer Information Transactions Act

is a federal law that provides a common framework for the conduct of computer-related business transactions.

Uniform Computer Information Transactions Act (UCITA)

Batteries that provide temporary, immediate power during times when utility service is interrupted.

Uninterruptible power supplies (UPS)

(detects movements on screen and alerts guards)

accunicator system

magnetic field detects presence around an object

proximity or capacitance detector

provide organized way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster (BIA has already been done, now were going to protect!)

DRP Goal

Expert opinion

Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor request that Darcy give testimony in court about whether, in her opinon, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide?

unused network space that may detect unauthorized activity

Dark-net

collection of component CI's that make another CI

Configuration

component whose state is recorded Version: recorded state of the CI

Configuration item (CI)

when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments

Emergency restart

responsibility towards employees and families

Employee relations

Legislative, Executive, Judicial

3 branches for laws:

data at rest (storage) data in transit (the network) data being processed (must be decrypted) / in use / endpoint

3 states of information

Used to educate the jury, can be used as evidence

Expert Witnesses

doors UNLOCK

FAIL SAFE

doors LOCK

FAIL SECURE

Failure Mode and Effects analysis Pareto Analysis Fault Tree Analysis Cause Mapping

5Ways of processing a Root Cause Analysis

Openness Collection Limitation Purpose Specification Use Limitation Data Quality Individual Participation Security Safeguards Accountability

FAIR INFORMATION PRACTICES

against blinding by lights Continuous lightning evenly distributed lightning

Glare protection

Mean time between failures (Useful Life) = MTTF + MTTR

MTBF

detect anomalies on the host system that NIDSs cannot detect.

A benefit of HIDSs over NIDSs is that HIDSs can

not permitted if the original, Best Evidence, is available -Copies of documents.

A copy Secondary Evidence

provide a means for a timely and accurate response to intrusions.

A primary goal of an IDS

can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

A single NIDS

Device that uses passive listening devices

Acoustic Sensors

microphones, vibrations sensors

Acoustical detection

how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties

Administrative/Regulatory law

Accounts that are assigned only to named individuals that require administrative access to the system to perform maintenance activities, and should be different and separate from a user's normal account.

Administrator accounts

relevant, sufficient, reliable, does not have to be tangible

Admissible evidence

quick response and availability, testing is possible.

Advantage of Service Bureau

Less costly, more choices of location, less administrative resources. Disadvantage of Warm Site it will take some time to start production processing. Nonexclusive. 12 hours to be up

Advantage of Warm Site

Privilege Creep, accumulate privileges

Aggregation

Clipping, uses threshold values to select records that exceed predefined values, most interest to analysts

Allie is responsible for reviewing authentication logs on her organization's network. She doesn't have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool?

part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.

An IDS

an attacker is able to bypass or thwart security mechanisms and gain access to an organization's resources.

An intrusion

Security event, no reason to believe security compromise or policy violation occurred

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?

DNS

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. Ann continues her investigation and realizes that the traffic generating the alert in abnormally high volumes of inbound UDP traffic on port 53. What service typicall uses this port?

DoS attack

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to quires that she doesn't see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect?

Security incident

Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?

can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization.

Attackers (espionage)

disclosing or selling the information to a competitor or other interested organization (such as a foreign government).

Attackers often commit espionage with the intent of

Date and time stamps Successful or not attempt Where the access was granted Who attempted access Who modified access privileges at supervisor level

Audit Trails

representatives from all department Senior staff (ultimate responsibility, due care/diligence) Various business units (identify and prioritize time critical systems) Information Systems Security Administrator People who will carry out the plan (execute)

BCP committee

Tape, Disk, Optical Drive, Solid State

Backup storage media

Devices that use a magnetic field or mechanical contact to determine if an alarm signal is initiated

Balanced Magnetic Switch (BMS)

Cold site

Beth is selecting a disaster recovery facility for her organization. She would like to choose a fcility that has appropriate enviromnetal controls and power for her operations but wants to minmize costs. She is willing to accept a lengthy recovery time. What type of facility should she choose?

are placeholders for literal values in SQL query being sent to the database on a server

Bind variables

in SQL used to enhance performance of a database

Bind variables

Privilege escalation

Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allow him to gain root access to that server. What type of attack took place?

Hybrid cloud

Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the tyepe of cloud environment this organization uses?

SSH scanning

Bruce is seeing quite a bit of suspicious activity on his network. It appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in?

assembling a version of a CI using component

Building

focus on illegally obtaining an organization's confidential information.

Business Attacks

Ensuring the business can continue in an emergency, 1st business organization analysis

Business continuity Planning

enables you to compare the audit trails and access logs with a visual recording

CCTV

set of versions of component

CI's Build list

controlled area only accessible for approved users

CI's used to build a CI Software Library

Least ready but most commonly used. Has no hardware installed only power and HVAC.

COLD SITE

Aggregation

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gainsed new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?

DLP

Carolyn is concerned that users on her network may be storing sensitive information, such as SSN, on their hard drives without proper authorization or security controls. What technology can she use to best detect this activity?

less than 10mins travel time for e.g. an private security firm

Central stations

The who, what, when, where, and how the evidence was handled—from its identification through its entire life cycle, which ends with destruction, permanent archiving, or returning ot owner.

Chain of custody

collection, analysis and preservation of data Forensics uses bit-level copy of the disk

Chain of custody

will detect it and prevent it from leaving the organization. The system will send an alert, such as an email to an administrator.

If a user sends out a file containing restricted data, the DLP system

A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.

Change management

A lock controlled by touch screen, typically 5 to 10 digits that when pushed in the right combination the lock will releases and allows entry

Cipher Lock

Electrical

Cipher Lock

Used to help assume another fact, Cannot stand on its own to directly prove a fact

Circumstantial evidence

Europe, South America

Civil law

wrongs against individual or organization that result in a damage or loss. Punishment can include financial penalties. AKA tort law (I'll Sue You!) Jury decides liability

Civil law

overwriting media to be reused

Clearing

Cost, ease of location choice. Nonexclusive. week

Cold Site Advantage

3 digits with wheels

Combination lock

1. Manual System administrator intervention is required to return the system to a secure state 2. Automatic Recovery to an secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures) 3. Automatic without Undo Loss Higher level of recovery defining prevention against the undue loss of protected objects 4. Function system can restore functional processes automatically

Common criteria hierarchical recovery types

USA, UK Australia Canada (judges)

Common law

unauthorized intrusion, unauthorized alteration or destruction malicious code

Computer Crime Laws 3 types of harm

Irrefutable and cannot be contradicted, Requires no other corroboration

Conclusive evidence

theft of sensitive information

Confidentiality breaches

A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).

Configuration management (CM)

Sabotage

Connor's company recently experienced a DoS attack that Connor believes came from an inside source. If true, what type of event has the company experienced?

no bleeding over no blinding Standby Lightning timers

Controlled lightning

Supports or substantiates other evidence presented in a case

Corroborative Evidence

In-house or external supply of hardware replacements. Stock of hardware either onsite or with a vendor. May be acceptable for warm site but not for hot site.

Could be considered a cold site

are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

Countermeasures against espionage

individuals that violate government laws. Punishment mostly imprisonment

Criminal law

The evidence must be relevant to determining a fact. The fact that the evidence seeks to determine must be material (that is, related) to the case.

Criteria for Admissible Evidence

complete destroy preferably by burning

Destruction

bolt down hardware

Device lock

only modified files, doesn't clear archive bit. Advantage: full and only last diff needed, Intermediate time between full and diff.

Differential

Can prove fact by itself and does not need any type of backup.

Direct Evidence

does not need other evidence to substantiate

Direct Evidence

Very lengthy time of restoration, false sense of security but better than nothing.

Disadvantage of Cold Site

expense and it is more of a short time option.

Disadvantage of Service Bureau

any event, natural or manmade, that can disrupt normal IT operations

Disaster

Recover as quickly as possible Heavy IT focus Allows the execution of the BCP Needs Planning Needs Testing CRITICAL, URGENT, IMPORTANT

Disaster Recover

Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information

Disaster Recovery Planning

fast read/write, less robust than tape

Disk

costs, multiple sites will share resources and support. Disadvantage of Dual Site a major disaster could affect both sites; multiple configurations have to be administered.

Dual Site Advantage

Interview

During an incident investigation, investigators meet with a systme administrator who may have information about the incident but is not a suspect. What type of conversarion is take place during this meeting?

Mitgation

During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?

Reporting

During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy?

1. Discovery 2. Protection 3. Recording 4. Collection and identification 5. Analysis 6. Storage, preservation, transportation 7. Present in court 8. Return to owner

EVIDENCE LIFECYCLE

The practice of monitoring and potentially restricting the flow of information outbound from one network to another

Egress filtering

detect a break or change in a circuit magnets pulled lose, wires door, pressure pads

Electromechanical

programmable locks or biometric systems

Electronic Access Control (EAC) proximity readers

transfer of backup data to an offsite storage location via communication lines

Electronic vaulting

Restore normal business operations.

End Goal for Disaster Recovery

can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.

Endpoint-based DLP

the legal action of luring an intruder, like in a honeypot

Enticement

refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges

Entitlement

the illegal act of inducing a crime, the individual had no intent of committing the crime at first

Entrapment

is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization.

Espionage

anything that happens. Can be documented verified and analyzed

Events

must be preserved and identifiable

Evidence

enforces laws (administrative laws)

Executive

allows officials to seize evidence before its destroyed (police team fall in)

Exigent circumstances

use of main buildings or any remote facilities

Facilities

CORE OF BUILDING (thus with 6 stores, on 3rd floor)

Facility site

most conservative from a security perspective

Fail Closed/secure

human to see why it failed

Fail Hard - BSOD

program execution is terminated and system protected from compromise when hardware or software failure occurs DOORS usually

Fail safe system

reboot, selected, noncritical processing is terminated when failure occurs

Fail soft or resilient system

switches to hot backup.

Failover

Backup critical information thus enabling data recovery

Failure preparation

continues to function despite failure

Fault-tolerant

provides judges and courts procedures on the prevention, detection and reporting

Federal Sentencing Guidelines

Small mesh and high gauge is most secure 3-4 feet deters casual trespasser

Fences

active electronics, transmitter but gets power from the surrounding field from the reader

Field Powered device

carried out to unlawfully obtain money or services.

Financial Attacks

Find someone to run it

Financial disbursement, Media relations

management approval. NB: when a question is about processes, there must always be management's approval as First step.

First step by change process

Be authentic; evidence tied back to scene Be accurate; maintain authenticity and veracity Be complete; all evidence collected, for & against view Be convincing; clear & easy to understand for jury Be admissible; be able to be used in court

Five rules of evidence

MTD (Max Tolerable Downtime)

Florian is buidling a disaster recovery plan for his organization and would like to determine the amount of time that particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?

1. Scope and plan initiation Consider amount of work required, resources required, management practice 2. BIA - helps to understand impact of disruptive processes 3. Business Continuity Plan development a. Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development) b. Testing 4. Plan approval and implementation Management approval Create awareness

Focus on business processes

intercepting and modifying or discarding commands sent to the storage device

Forensic Disk Controller

Write Blocking, intercepts write commands sent to the device and prevents them from modifying data on the device Return data requested by a read operation Returning access significant information from device Reporting errors from device to forensic host

Forensic Disk Controller Steps

1 week

Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation?

Competence, was not legally obtained correctly

Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court rules tht the search of the apartment that resulted in the police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence?

like vandalism, looting and people grabbing the opportunity

Fraud and Crime

All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming

Full

involve relocating personnel to the alternate site and shutting down operations at the primary site.

Full-interruption tests

Least privilege

Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?

Segregation of duties matrix, used to prevent a user from acculmating two permissions that would create a potential conflict

Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary designs the program, he uses the matrix shown below. What principle of information security does this matrix most directly help enforce?

Clearance and need to know

Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to creat an account for a new user and assign privileges to the HR database. What wo elements of infomration must Gary verify before granting this access?

Two person control

Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?

Block UDP port 7 and 9 traffic from entering the network. Fraggle attacks uses UDP port 7 and 9

Gina is a firwall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the IDS, which reported that faggle attack was underway. Whatre FW configuration change can Gina make to most effectively prevent this attack?

Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belogning to the company

Gordon suspects that a hacker has penetrated a system belonging to his compay. The system doesn't contain any regulated information and Gordon wished to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?

attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person's reputation. The result of grudge attacks

Grudge Attacks

can often examine events in more detail than an NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker.

HIDS

monitors activity on a single computer, including process calls and information recorded in firewall logs.

HIDS Host-based IDS

Fully configured computer facility. All applications are installed, up to date mirror of the production system. For extremely urgent critical transaction processing.

HOT SITE - Internal/External

want to verify their skills as intruders

Hackers and crackers

(combination of hacker and activist), often combine political motivations with the thrill of hacking.

Hacktivists

a review of Personal computers & Smartphones

Hardware/ Embedded Device Analysis Forensic analysts often must review the contents of hardware and embedded devices. This may include

secondhand data not admissible in court

Hearsay

something a witness hears another one say. Also business records are hearsay and all that's printed or displayed.

Hearsay Evidence

Two person control

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?

A centralized collection of honeypots and analysis tools

Honeyfarm

Two or more honeypots on a network

Honeynet

Decoy servers or systems setup to gather information regarding an attacker or intruder into your system

Honeypot

Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy malicious or unauthorized intruders, as a means of delaying their attempts to access production data/assets. A number of machines of this kind, linked together as a network or subnet, are referred to as a "honeynet."

Honeypots/honeynets

24/7 availability and exclusive use are assured. Short and long term.

Hot Site Advantage:

extra administrative overhead, costly, security controls needs to be installed at the remote facility too. Exclusive to one company hours to be up

Hot Site Disadvantage:

software component that manages the virtual components. The hypervisor adds an additional attack surface, so it's important to ensure it is deployed in a secure state and kept uptodate with patches, controls access to physical resources

Hypervisor

automates the inspection of logs and realtime system events to detect intrusion attempts and system failures.

IDS intrusion detection system

are an effective method of detecting many DoS and DDoS attacks.

IDSs

If desired, administrators can disable these extra features of an ______, essentially causing it to function as an IDS.

IPS

includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions.

IPS intrusion prevention system

labeling, recording serial number etc.

Identification

review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

In other cases, forensic analysis may be asked to

conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities.

In some cases, when malicious insiders are suspected, the forensic analyst may be asked to

Hypervisor

In virtualization platofrms, what name is given to the model that is responsible for controlling access to physical resources by virtual resources?

Man-in-the-Middle (MITM)

In what type of attack do attackers manage to insert themselves into a connection between a user and a legitimate website?

Hypervisor

In what virtualization model do full guest operating systems run on top of a virtualization platform?

Public cloud

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not the other's identity?

Response Capability (policy, procedures, a team), Incident response and handling (Triage, investigation, containment, and analysis & tracking), Recovery (Recovery / Repair), Debriefing / Feedback (External Communications)

Incident Response Lifecycle

ID the Scene Protect the environment ID evidence and potential sources of evidence Collect evidence - hash + Minimize the degree of contamination

Incident Scene Management

only modified files, archive bit cleared, Advantage: least time and space, Disadvantage first restore full then all incremental backups, thus less reliable because it depends on more components

Incremental

The party to party litigation costs resulting from its breach of warranties

Indemnification

cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem

Individual computing devices on a cluster vs. a grid system

A focused infrared (IR) light beam is projected from an emitter and bounced off of a reflector that is placed at the other side of the detection area

Infrared Linear Beam Sensors

Provide a quick way to disable a key by permitting one turn of the master key to change a lock

Instant Keys

unauthorized modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances

Integrity breaches

Evidence retrieval method, ultimately obtain a confession

Interrogation

gather facts and determine the substance of the case.

Interviewing

A technology that alerts organizations to adverse or unwanted activity

Intrusion Detection System (IDS)

can recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once an IDS detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack.

Intrusion Detection Systems

A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access.

Intrusion Prevention System (IPS)

a specific form of monitoring that monitors recorded information and realtime events to detect abnormal activity indicating a potential incident or intrusion.

Intrusion detection

A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access.

Intrusion detection system (IDS)

Middle East, Africa, Indonesia and USA

Islamite and other Religious laws

Netflow records. Contains a record of every network communication session, compare to a list of known malicious hosts.

Jim would like to identify compromiesed systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command and control servers. Which one of the following techniques would be most likely provide this information if Jim has access to a list known servers?

The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats.

Job rotation

Steganography

Joe is an investigator with a law enforcment agency. He recived a tip that a suspect is communicating sensitive information with a 3rd party via a message board. After obtaining a warrant for the message, he obtained the contents and found that teh message only contanins the image show in the figure below. If this is the sole content of teh communication, what techniques could teh suspect have used to embed sensitive infomraiton in the message?

No access

Joe is the security administrator fo an ERP system. He is preparing to create accounts for several new employees. What defualt access should he give to all of the new employees as he creates the accounts?

Interprets laws (makes common laws out of court decisions)

Judicial

The practice of only granting a user the minimal permissions necessary to perform their explicit job function.

Least privilege

writing laws (statutory laws)

Legislative

if no tampering is done with the alarm wires

Line supervision check

Data that are dynamic and exist in running processes or other volatile locations (e.g., system/device RAM) that disappear in a relatively short time once the system is powered down

Live evidence

audible alarm for at least 4000 feet far

Local alarms

perps leave something behind

Locard's Exchange Principle

States that when a crime is committed, the perpetrators leave something behind and take something with them, hence the exchange

Locard's exchange principle

Need to know

Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearnce, but ther is no business justifcation for the access. Lydia denies this request. What security principle is she following?

means, opportunity and motive

MOM (Determine suspects)

inserting bogus information to hope to mislead an attacker

Noise and perturbation

has all procedures on how the company will return processing from the alternate site

Normal Operations Resume plan

most preferred in the legal investigation is a bound notebook, pages are attached to a binding.

Notebook

use after initial use

Object reuse

audit trails and business records are not considered hearsay when the documents are created in the normal course of business.

One exception to business records

Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case.

Opinion Rule

CD/DVD. Inexpensive

Optical drive

(e.g., CDs, DVDs, Bluray discs)

Optical media

not best evidence though it may provide interpretation of documents, etc.

Oral

is a type of Secondary Evidence so the case can't simply stand on it alone

Oral Evidence

like Witness testimony

Oral evidence

used to document things such as contracts -NOTE: no copies!

Original documents

Rolling/mobile sites Mobile homes or HVAC trucks.

Other data center backup alternatives

Interfacing with other groups: everyone outside the corporation

Other recovery issues

used at the trial because it is the most reliable.

Primary Evidence

customer view taken into account

PROTOTYPING

involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also

Parallel tests

RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives.

Parity bits

no battery, uses power of the field

Passive device

detects changes in temperature

Passive infrared

An update/fix for an IT asset.

Patch

operators, management, technical support persons

People

lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence

Permissible

dumb cards

Photo id card:

light beams interrupted (as in an store entrance)

Photoelectric

It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.

Potential for sabotage

alarm systems needs separate circuitry and backup power

Power supplies

Accounts granted greater privileges than normal user accounts when it is necessary for the user to have greater control over the system, but where administrative access is not required

Power users

A very cold site.

Prefabricated buildings

collection, reconstruction

Preserved and identifiable

ordinary door lock

Preset

combination or electrical lock

Programmable

owned and operated by the customer. System provides many of the features in-house

Proprietary systems

Identifies any unacceptable deviation from expected behavior based on known network protocols

Protocol Anomaly-Based IDS

Use embedded antenna wires connected to a chip within the card through RF.

Proximity Card (prox cards)

false vulnerability in a system that may attract an attacker

Pseudo flaw

degaussing or overwriting to be removed

Purging

Data encryption

Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes?

one large disk out of several -Improved performance but no fault tolerance

RAID 0 Striped

fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed

RAID 1 Mirrored drives

not used commercially. Hammering Code Parity/error

RAID 2

Striped on byte level with extra parity drive -Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives

RAID 3

(for later review) = detective control

Recording

Essential activities to protect business information and can be established in compliance with laws, regulations, or corporate governance

Records and Information Management (RIM)

system should restart in secure mode Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals

Recovery procedures

mandated to implement recovery after the declaration of the disaster

Recovery team

Mirrored site, potential 0 down time

Redundant

applies raid 1 mirroring concept to servers. On error servers can do a failover. This AKA server fault tolerance

Redundant servers

Failover cluster

Referring to the figure below, what technology is shown that provides fault tolerance for the database servers?

Expected findings

Reggie recently received a letter from his company's interal auditors scheduling the kickoff meeting for an assessment of his group. Which of the following should Reggie not expect to learn during that meeting?

relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts

Relevant

consistent with fact, evidence has not been tampered with or modified

Reliable

The measure of the existing magnetic field on the media after degaussing

Remanence

parallel processing of transactions to an alternative site via communication lines

Remote Journaling

PaaS

Renee is a software developer who writes code in Node.js for her organization. The company is consdiering moving from a self hosted Node.js environment to one where Renee will run her code on application servers managed by a cloud vendor. What type of cloud solution is Renees's company considering?

The science of hiding information

Steganography

Documenting the Plan Activation and recovery procedures Plan management HR involvement Costs Required documentation Internal /external communications Detailed plans by team members

Steps for DRP

Prepare questions and topics, put witness at ease, summarize information -interview/interrogation plan Have one person as lead and 12 others involved as well never interrogate or interview alone

Steps for Due Process

RAID technique; writing a data set across multiple drives.

Striping

persuasive enough to convince one of its validity

Sufficient

paper, forms HVAC Documenting the continuity strategy

Supplies and equipment

when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.

System cold start

System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources

System reboot

1. Rebooting system in single user mode or recovery console, so no user access is enabled 2. Recovering all file systems that were active during failure 3. Restoring missing or damaged files 4. Recovering the required security characteristic, such as file security labels 5. Checking security critical files such as system password file

System recovery after a system crash

members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.

Tabletop exercise

sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries

Tape

GF/Father/Son, Tower of Hanoi, Six Cartridge Weekly

Tape Rotation Schemes

focus on locks, cameras guards

Target Hardening

the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.

Techniques used for media analysis

walls fences flags

Territorial Reinforcements

purpose of a terrorist attack is to disrupt normal life and instill fear

Terrorist Attacks

one of their 5 senses

Testimony from a witness

been returned to their normal location and function (data verified at primary site as accurate)

The disaster is not over until all operations have

meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

The evidence must be competent

Identifies any unacceptable deviation from expected behavior based on actual traffic structure

Traffic anomaly-based IDS

Buffer overflow

The historic ping of death attack is most simliar to which of the following model attack types?

Script kiddies

The main motivation behind these attacks is the "high" of successfully breaking into a system

collect and correlate information from these disparate sources and produce as comprehensive a picture of network activity as possible.

The task of the network forensic analyst

give legal backing to the previously questionable practices of shrink-wrap licensing and clickwrap licensing by giving them status as legally binding contracts.

The terms of UCITA

Business Attacks (BA)

The use of the information gathered during the attack usually causes more damage than the attack itself.

provide alternate backups and processing facilities. Most common of implementations!

Third party, commercial services

are the attacks launched only for the fun of it. Pride, bragging rights

Thrill attacks

Media analysis

Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that teh user attempted to erase the data, and Time is trying to reconstruct it. What type of forensic analysis is Tim performing?

Immediately begin preserving evidence

Timber Indisturies recently go into a dispute with a customer. During a meeting with his account represetative, the customer stood up and declared, "There is no other solution. We will have to take this matter to court." He then left the room. When does Timber Industries have an obligation to begin preserving evidence?

Send induced radio frequency (RF) signals down a cable that is attached to the fence fabric

Time domain Reflectometry (TDR)

Change log

Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system's security settings. Where would he most likely find this information?

Toni's computer is part of a botnet

Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user doesn't use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?

Electronic vaulting, automated DB backup approach, DB backups are moved from primary to remote server on scheduled daily basis.

Veronica is considering the implementation of a database recovery mechanism recommeded by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an offisite location each night. What type of database recovery technique is the consultant describing?

Cross between hot and cold site. The computer facility is available but the applications may not be installed or need to be configured. External connections and other data elements that take long time to order are present. Workstations have to be delivered and data has to be restored.

WARM SITE

hanging lock with a key

Warded lock

min 2 disk required for RAID 1

What is the minimum number of disks required to implement RAID level 1?

Fourth Amendment

What legal protection prevents law enforcement agencies from searching a facility or electronic system without either probable cause or consent?

RAID-1 = disk mirroring

What level of RAID is also known as disk mirroring?

Sandboxing

What technique can application developers use to test application in an ioslated virtualized environment before allowing themon a production network?

Watermarking

What technique has been used to protec teh IP in the image shown below?

Entitlement, privileges granted to user when account is first created/provisioned

What term is used to describe the default set of privileges assigned to a user when a new account is created?

SYN Flood attack

What type of attack is show in the figure below

Parallel test

What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running?

Real evidence (Documentary-written items may or may not be in tangible form, Testimonial-verbal given by witness with relevant testimony, Parol-agreement is put into written form, all terms of agreement

What type of evidence consists entirely of tangible items that may be brought into a court of law?

Transitive trusts

What type of trust relationship extends beyond the two domains participating in the trust to on or more of their subdomains?

Separation of duties

When designeing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assigne superuse privleges to an account. What information security principle is Hilda following?

don't use message digest because it will change the timestamps of the files when the filesystem is not set to ReadOnly

When investigating a hard drive

All of the above. When a user leaves the company, roles change, regular and recurring basis

When should an organization conduct a review of the privileged access that a user has to sensitive systems?

Transformer failure

Which of the following is an example of a manmade disaster?

The code applies to all members of the information security profession

Which of the following is not ture about the ISC2 code of ethics?

I, III, IV

Which of the following organizations would be likely to have a representative on CSIRT? I. Information security, II. Legal Counsel, III. Senior mgmt, IV. Engineering

I, II, III, IV

Which of the following would normally be considered an example of a disaster when performing diaster recovery planning? I. Hacking incident, II. Flood, III. Fire, IV. Terrorism

Service Level Agreement (SLA)

Which one fo the following types of agreements is the most formal document that ocntains expecations about availability and other performance parameters between a service provider and a customer?

Generators

Which one of the following controls protects an organization in the event of a sustainied period of power loss?

Restoring operations in the primary facility

Which one of the following events marks the completion of a DRP?

All of the above 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.

Which one of the following events would constitute a security incident? 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.

ITIL

Which one of the following frameworks focuses on IT service mgmt and includes topics such as change mgmt, config mgmt, and SLAs?

Government agent

Which one of the following individuals is most likely to lead a regulatory investigation?

CVE, dictionary with common security related issues

Which one of the following information sources is useful to security administrators seeking a list of information security vulnerabilities in applications, devices and operating systems?

Unauthorized vulnerability scan of a file server

Which one of the following is an example of computer security incident?

Conduct forensic imaging of all systems

Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?

Promptly report security vulnerabilites to relevant authorities

Which one of the following is not a canon of the ISC2 code of ethics?

Logging into a workstation

Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?

Meet in the middle

Which one of the following is not an example of a backup tape rotation scheme?

The evidence must be tangible

Which one of the following is not requirement for evidence to be admissible in court?

Incident response

Which one of the following mechanisms is not commonly seen as a deterrent to fraud?

Pseudoflaw, false vulnerability in a system that may attract an attacker.

Which one of the following might a security team use on a honeypot system to consume an attacker's time while alerting administrators?

Darknet

Which one of the following security tools consists of an unused network address space that may detect unauthorized activity?

An attack previously unknown to the security community

Which one of the following statements best describes a zero-day vulnerability?

Intercepting and modifying or discarding commands sent to the storage device

Which one of the following tasks is performed by a forensic disk controller?

Reformatting

Which one of the following techniques is not commonly used to remove unwanted remnant data from magentic tapes?

Sampling, uses statistical techniques to choose a sample representative of the entire pool.

Which one of the following techniques uses statistical methods to select a small number of records from a large pool for further analysis with the goal of choosing a set of records that is represetative of the entire pool?

RFID

Which one of the following technologies would provide the most automation of an inventory control process in a cost effective manner?

Service pack

Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?

Baseline configuration

Which one of the following tools helps systems administrators by providing a standard, secure template of configuration setting or operating systems and applications?

Software Escrow agreements, places a copy of the source code for software to a 3rd party, who will turn code over to customer if business ops stops.

Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business?

Traffic with a destination address on a external network

Which one of the following traffic types should not be blocked by an organization's egress filtering policy?

Manual recovery, system doesn't fail into secure state but requires administrator to manually restore operations

Which one of the following trusted recovery types doesn't fail into a secure operating state?

Malicious insider

Which one of thef ollowing individuals poses the greatest risk to security in most well-defended organizations?

IDS

Which one the following secuirty tools is not capable of generating an active response to a security event?

User activated System sensing

Wireless proximity cards

Netflow data

You are performing an investigation into a potential bot infection on your network an sish to perform a forensic analysis of the information that passed between different systems on your network and those on the Internet. You believe tht teh information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?

0.005

You are working to evaluate the risk of flood to an area and consult flood maps from FEMA. According to those maps, the area lies within a 200 year flood plain. What is the ARO of a flood in that region?

Plan for _______________________ maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation

emergency response backup operations and post disaster recovery

detects motions

wave pattern motion detectors


Related study sets

Computer Tech - Hardware cred: seth kampta

View Set

Microeconomics: Economies of Scale

View Set

Chapter 27: Safety, Security, and Emergency Preparedness

View Set