CISSP Domain 7: Security Operations
A suite of technologies aimed at stemming the loss of sensitive information that occurs in the enterprise.
Data Leak Prevention (DLP)
Walls from floor to ceiling Floor: Concrete slab: 150 pounds square foot No windows in a datacenter Airconditioning should have own Emergency Power Off (EPO)
Data center should have:
Provide real‐time analysis of events occurring on systems throughout an organization but don't necessarily scan outgoing traffic.
Automating much of the routine work of log review
on alarm ring out to local fire or police
Auxiliary Station systems
is a country or location that has no laws or poorly enforced laws
Data haven
systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns.
Data loss prevention
remaining data after erasure Format magnetic media 7 times (orange book)
Data remanence
live processing of remote journaling and creating duplicates of the database sets to multiple servers
Database shadowing
review plan contents
Desk Check
Checklist review
Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and a minimal a commitment of time as possible. What type of test should she choose?
MOST BASIC TYPE OF STORAGE
JBOD
Least privilege
Javier is verifying that only IT systems administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?
Software analysis
Jerome is conducting a forensic invetisgation and is reviewing databse server logs to invetisage query contesnt for evidence SQL injection attacks. What type of analysis is he performing?
(mean time to failure)
MTTF
(mean time to repair)
MTTR
Consist of a magnetically sensitive strip fused onto the surface of a PVC material, like a credit card
Magnetic Stripe (mag stripe) cards
(e.g., hard disks, tapes)
Magnetic media
SaaS
Mark is considering replacing his organization's customer relationship mgmt (CRM) solution with a new product that is available in the cloud. THe new solution is completely managed by the vendor and Mark's company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?
Any object that contains data.
Media
branch of computer forensic analysis, involves the identification and extraction of information from storage media.
Media analysis
HIDS (Host-based Intrusion Detection System)
Melanie suspects that someone is using malcious software to steal computing cycles from her company. Which one of the following security tools would be in teh best position to detect this type of incident?
(e.g., RAM, solid state storage)
Memory
designed to extract classified or sensitive information.
Military or intelligence attack
limit the effect or scope of an incident
Mitigation
A lock or latch that is recessed into the edge of a door, rather than being mounted to its surface.
Mortise Lock
(aka dual sites) Processing is spread over several computer centers. Can be managed by same corporation (inhouse) or with another organization (reciprocal agreement).
Multiple centers
allows multiple camera screens shown over one cable on a monitor Via coax cables (hence closed)
Multiplexer
replayed (video images)
Multiplexing Attacks:
Arrangement with another similar corporation to take over processes. Advantage: cheap. Disadvantage: must be exact the same, is there enough capability, only for short term and what if disaster affects both corporations. Is not enforceable.
Mutual aid agreements (aka reciprocal agreement)
cannot monitor the content of encrypted traffic but can monitor other packet details.
NIDS
monitors and evaluates network activity to detect attacks or event anomalies.
NIDS Network-based IDS
guidance of people by doors fences bollards lightning. Security zones defined natural surveillance, territorial reinforcements, target hardening
Natural Access control
cameras and guards
Natural surveillance
Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization.
Need-to-know
Forensic investigators are also often interested in the activity that took place over the network during a security incident.
Network Analysis
depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log network activity.
Network forensic analysis
scans all outgoing data looking for specific data. Administrators would place DLPs on the edge of the negative to scan all data leaving the organization.
Network-based DLP
Striped on block level, parity distributed over all drives - requires all drives but one to be present to operate hot swappable. Interleave parity, recovery control; 3 or more drives
RAID 5
Dual Parity, parity distributed over all drives -requires all drives but two to be present to operate hot swappable
RAID 6
is same as raid5, but all drives act as one single virtual disk
RAID 7
Same as Raid 3 but striped on block level; 3 or more drives
RAID4
robotic mechanisms to transfer tapes between storage and drive mechanisms
RAIT
cold site
RTO 1 tgt 2 weeks
warm site
RTO 12 days
mobile site
RTO 35 days
Hot site;
RTO 5 minutes or hours
recovery time objectives. Refers to business processes not hardware.
RTO:
circumvent a pin tumbler lock
Raking
IDS detects activities and turns on lightning NIST: for critical areas the area should be illuminated 8 feet in height with 2foot candle power
Responsive areas illumination
Latency
Richard is experiencing issues with the quality of network service on his organization's network. The primary symptom is that packets are consitently taking too long to travel from source to their destination. What term describes the issue Richard is facing?
A lock or latch typically mounted on the surface of a door, typically associated with a dead bolt type of lock
Rim Lock
Patching operating systems
Roger recently accepted a new position as a security pforessional at a company that runs its entire IT frastructure wihin an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm?
Contract with a service bureau to fully provide alternate backup processing services.
SERVICE BUREAU
6 basic SQL commands: Select, Update, Delete, Insert, Grant, Revoke
SQL -SUDIGR
is a criminal act of destruction or disruption committed against an organization by an employee.
Sabotage
goes back to the primary site to normal processing environmental conditions. Clean, repair, Salvage. Can declare when primary site is available again
Salvage team
5
Sam responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening a 9pm. and differential backups on other days of the week at that same time. File change accourding to the information shown in the difure below. How many files will be compied in Wednesday's backup?
An isolated test environment that simulates the production environment but will not affect production components/data.
Sandboxing
Attackers who lack the ability to devise their own attacks will often download programs that do their work for them.
Script kiddies
Not as strong as best evidence.
Secondary Evidence
event or series of events that adversely impact the ability of an organization to do business
Security Incident
A group of technologies which aggregate information about access controls and selected system activity to store for analysis and correlation
Security Informatn and Event Management (SIEM)
suspected attack
Security incident
evidence attacker attempted or gained access
Security intrusion
The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats.
Separation of duties
group of independent servers which are managed as a single system. All servers are online and take part in processing service requests.
Server clustering
Accounts used to provide privileged access used by system services and core applications
Service accounts
An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim.(Common to do website defacements)
Service interruption
more comprehensive and may impact one or more noncritical business units of the organization, all support personnel meet in a practice room
Simulation tests
When dealing with digital evidence, all of the general forensic and procedural principles must be applied. Upon seizing digital evidence, actions taken should not change that evidence. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
Six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:
should be inspected for hidden data and should be included in a disk image
Slack space on a disk
Credential cards with one or more microchip processing that accepts or processes infomraiton and can be contact or contact less.
Smart Cards
Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application.
Software Analysis
USB drive, security issues, protected by AES
Solid state
Analyzes event data by comparing it to typical, known, or predicted traffic profiles in an effort to find potential security breaches
Statistical Anomaly-based IDS
both card and receiver holds power, transmitter and electronics Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems.
Transponders
cylinder slot
Tumbler lock
Operational, Criminal, Civil, eDiscovery
Types of Law
Intrusion detection and prevention system logs Network flow data captured by a flow monitoring system Packet captures deliberately collected during an incident Logs from firewalls and other network security devices
Types of Network Forensic Analysis
Public domain
Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?
Software-defined networking
Under what virtualization model does the vituralization platform separate the network control plane from the data plane and replace complex network devices with simpler devices that simply receive instructions from the controller?
contains provisions that address software licensing.
Uniform Computer Information Transactions Act
is a federal law that provides a common framework for the conduct of computer-related business transactions.
Uniform Computer Information Transactions Act (UCITA)
Batteries that provide temporary, immediate power during times when utility service is interrupted.
Uninterruptible power supplies (UPS)
(detects movements on screen and alerts guards)
accunicator system
magnetic field detects presence around an object
proximity or capacitance detector
provide organized way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster (BIA has already been done, now were going to protect!)
DRP Goal
Expert opinion
Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor request that Darcy give testimony in court about whether, in her opinon, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide?
unused network space that may detect unauthorized activity
Dark-net
collection of component CI's that make another CI
Configuration
component whose state is recorded Version: recorded state of the CI
Configuration item (CI)
when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments
Emergency restart
responsibility towards employees and families
Employee relations
Legislative, Executive, Judicial
3 branches for laws:
data at rest (storage) data in transit (the network) data being processed (must be decrypted) / in use / endpoint
3 states of information
Used to educate the jury, can be used as evidence
Expert Witnesses
doors UNLOCK
FAIL SAFE
doors LOCK
FAIL SECURE
Failure Mode and Effects analysis Pareto Analysis Fault Tree Analysis Cause Mapping
5Ways of processing a Root Cause Analysis
Openness Collection Limitation Purpose Specification Use Limitation Data Quality Individual Participation Security Safeguards Accountability
FAIR INFORMATION PRACTICES
against blinding by lights Continuous lightning evenly distributed lightning
Glare protection
Mean time between failures (Useful Life) = MTTF + MTTR
MTBF
detect anomalies on the host system that NIDSs cannot detect.
A benefit of HIDSs over NIDSs is that HIDSs can
not permitted if the original, Best Evidence, is available -Copies of documents.
A copy Secondary Evidence
provide a means for a timely and accurate response to intrusions.
A primary goal of an IDS
can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.
A single NIDS
Device that uses passive listening devices
Acoustic Sensors
microphones, vibrations sensors
Acoustical detection
how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties
Administrative/Regulatory law
Accounts that are assigned only to named individuals that require administrative access to the system to perform maintenance activities, and should be different and separate from a user's normal account.
Administrator accounts
relevant, sufficient, reliable, does not have to be tangible
Admissible evidence
quick response and availability, testing is possible.
Advantage of Service Bureau
Less costly, more choices of location, less administrative resources. Disadvantage of Warm Site it will take some time to start production processing. Nonexclusive. 12 hours to be up
Advantage of Warm Site
Privilege Creep, accumulate privileges
Aggregation
Clipping, uses threshold values to select records that exceed predefined values, most interest to analysts
Allie is responsible for reviewing authentication logs on her organization's network. She doesn't have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool?
part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.
An IDS
an attacker is able to bypass or thwart security mechanisms and gain access to an organization's resources.
An intrusion
Security event, no reason to believe security compromise or policy violation occurred
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?
DNS
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because teh network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. Ann continues her investigation and realizes that the traffic generating the alert in abnormally high volumes of inbound UDP traffic on port 53. What service typicall uses this port?
DoS attack
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to quires that she doesn't see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect?
Security incident
Ann is a security professional for a mid-sized business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts orignating from the organization's IDS. The system typically generates several dozen alerts each day, and many of those alrets turn out to be false alarms after her investigation. This morning, the IDS alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking tino the origin of the traffic. At this point in the incident response process, what term best describes what has occurred in Ann's organization?
can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization.
Attackers (espionage)
disclosing or selling the information to a competitor or other interested organization (such as a foreign government).
Attackers often commit espionage with the intent of
Date and time stamps Successful or not attempt Where the access was granted Who attempted access Who modified access privileges at supervisor level
Audit Trails
representatives from all department Senior staff (ultimate responsibility, due care/diligence) Various business units (identify and prioritize time critical systems) Information Systems Security Administrator People who will carry out the plan (execute)
BCP committee
Tape, Disk, Optical Drive, Solid State
Backup storage media
Devices that use a magnetic field or mechanical contact to determine if an alarm signal is initiated
Balanced Magnetic Switch (BMS)
Cold site
Beth is selecting a disaster recovery facility for her organization. She would like to choose a fcility that has appropriate enviromnetal controls and power for her operations but wants to minmize costs. She is willing to accept a lengthy recovery time. What type of facility should she choose?
are placeholders for literal values in SQL query being sent to the database on a server
Bind variables
in SQL used to enhance performance of a database
Bind variables
Privilege escalation
Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allow him to gain root access to that server. What type of attack took place?
Hybrid cloud
Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and a SaaS email system. What term best describes the tyepe of cloud environment this organization uses?
SSH scanning
Bruce is seeing quite a bit of suspicious activity on his network. It appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in?
assembling a version of a CI using component
Building
focus on illegally obtaining an organization's confidential information.
Business Attacks
Ensuring the business can continue in an emergency, 1st business organization analysis
Business continuity Planning
enables you to compare the audit trails and access logs with a visual recording
CCTV
set of versions of component
CI's Build list
controlled area only accessible for approved users
CI's used to build a CI Software Library
Least ready but most commonly used. Has no hardware installed only power and HVAC.
COLD SITE
Aggregation
Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gainsed new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?
DLP
Carolyn is concerned that users on her network may be storing sensitive information, such as SSN, on their hard drives without proper authorization or security controls. What technology can she use to best detect this activity?
less than 10mins travel time for e.g. an private security firm
Central stations
The who, what, when, where, and how the evidence was handled—from its identification through its entire life cycle, which ends with destruction, permanent archiving, or returning ot owner.
Chain of custody
collection, analysis and preservation of data Forensics uses bit-level copy of the disk
Chain of custody
will detect it and prevent it from leaving the organization. The system will send an alert, such as an email to an administrator.
If a user sends out a file containing restricted data, the DLP system
A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.
Change management
A lock controlled by touch screen, typically 5 to 10 digits that when pushed in the right combination the lock will releases and allows entry
Cipher Lock
Electrical
Cipher Lock
Used to help assume another fact, Cannot stand on its own to directly prove a fact
Circumstantial evidence
Europe, South America
Civil law
wrongs against individual or organization that result in a damage or loss. Punishment can include financial penalties. AKA tort law (I'll Sue You!) Jury decides liability
Civil law
overwriting media to be reused
Clearing
Cost, ease of location choice. Nonexclusive. week
Cold Site Advantage
3 digits with wheels
Combination lock
1. Manual System administrator intervention is required to return the system to a secure state 2. Automatic Recovery to an secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures) 3. Automatic without Undo Loss Higher level of recovery defining prevention against the undue loss of protected objects 4. Function system can restore functional processes automatically
Common criteria hierarchical recovery types
USA, UK Australia Canada (judges)
Common law
unauthorized intrusion, unauthorized alteration or destruction malicious code
Computer Crime Laws 3 types of harm
Irrefutable and cannot be contradicted, Requires no other corroboration
Conclusive evidence
theft of sensitive information
Confidentiality breaches
A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).
Configuration management (CM)
Sabotage
Connor's company recently experienced a DoS attack that Connor believes came from an inside source. If true, what type of event has the company experienced?
no bleeding over no blinding Standby Lightning timers
Controlled lightning
Supports or substantiates other evidence presented in a case
Corroborative Evidence
In-house or external supply of hardware replacements. Stock of hardware either onsite or with a vendor. May be acceptable for warm site but not for hot site.
Could be considered a cold site
are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.
Countermeasures against espionage
individuals that violate government laws. Punishment mostly imprisonment
Criminal law
The evidence must be relevant to determining a fact. The fact that the evidence seeks to determine must be material (that is, related) to the case.
Criteria for Admissible Evidence
complete destroy preferably by burning
Destruction
bolt down hardware
Device lock
only modified files, doesn't clear archive bit. Advantage: full and only last diff needed, Intermediate time between full and diff.
Differential
Can prove fact by itself and does not need any type of backup.
Direct Evidence
does not need other evidence to substantiate
Direct Evidence
Very lengthy time of restoration, false sense of security but better than nothing.
Disadvantage of Cold Site
expense and it is more of a short time option.
Disadvantage of Service Bureau
any event, natural or manmade, that can disrupt normal IT operations
Disaster
Recover as quickly as possible Heavy IT focus Allows the execution of the BCP Needs Planning Needs Testing CRITICAL, URGENT, IMPORTANT
Disaster Recover
Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information
Disaster Recovery Planning
fast read/write, less robust than tape
Disk
costs, multiple sites will share resources and support. Disadvantage of Dual Site a major disaster could affect both sites; multiple configurations have to be administered.
Dual Site Advantage
Interview
During an incident investigation, investigators meet with a systme administrator who may have information about the incident but is not a suspect. What type of conversarion is take place during this meeting?
Mitgation
During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?
Reporting
During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy?
1. Discovery 2. Protection 3. Recording 4. Collection and identification 5. Analysis 6. Storage, preservation, transportation 7. Present in court 8. Return to owner
EVIDENCE LIFECYCLE
The practice of monitoring and potentially restricting the flow of information outbound from one network to another
Egress filtering
detect a break or change in a circuit magnets pulled lose, wires door, pressure pads
Electromechanical
programmable locks or biometric systems
Electronic Access Control (EAC) proximity readers
transfer of backup data to an offsite storage location via communication lines
Electronic vaulting
Restore normal business operations.
End Goal for Disaster Recovery
can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.
Endpoint-based DLP
the legal action of luring an intruder, like in a honeypot
Enticement
refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges
Entitlement
the illegal act of inducing a crime, the individual had no intent of committing the crime at first
Entrapment
is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization.
Espionage
anything that happens. Can be documented verified and analyzed
Events
must be preserved and identifiable
Evidence
enforces laws (administrative laws)
Executive
allows officials to seize evidence before its destroyed (police team fall in)
Exigent circumstances
use of main buildings or any remote facilities
Facilities
CORE OF BUILDING (thus with 6 stores, on 3rd floor)
Facility site
most conservative from a security perspective
Fail Closed/secure
human to see why it failed
Fail Hard - BSOD
program execution is terminated and system protected from compromise when hardware or software failure occurs DOORS usually
Fail safe system
reboot, selected, noncritical processing is terminated when failure occurs
Fail soft or resilient system
switches to hot backup.
Failover
Backup critical information thus enabling data recovery
Failure preparation
continues to function despite failure
Fault-tolerant
provides judges and courts procedures on the prevention, detection and reporting
Federal Sentencing Guidelines
Small mesh and high gauge is most secure 3-4 feet deters casual trespasser
Fences
active electronics, transmitter but gets power from the surrounding field from the reader
Field Powered device
carried out to unlawfully obtain money or services.
Financial Attacks
Find someone to run it
Financial disbursement, Media relations
management approval. NB: when a question is about processes, there must always be management's approval as First step.
First step by change process
Be authentic; evidence tied back to scene Be accurate; maintain authenticity and veracity Be complete; all evidence collected, for & against view Be convincing; clear & easy to understand for jury Be admissible; be able to be used in court
Five rules of evidence
MTD (Max Tolerable Downtime)
Florian is buidling a disaster recovery plan for his organization and would like to determine the amount of time that particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?
1. Scope and plan initiation Consider amount of work required, resources required, management practice 2. BIA - helps to understand impact of disruptive processes 3. Business Continuity Plan development a. Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development) b. Testing 4. Plan approval and implementation Management approval Create awareness
Focus on business processes
intercepting and modifying or discarding commands sent to the storage device
Forensic Disk Controller
Write Blocking, intercepts write commands sent to the device and prevents them from modifying data on the device Return data requested by a read operation Returning access significant information from device Reporting errors from device to forensic host
Forensic Disk Controller Steps
1 week
Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation?
Competence, was not legally obtained correctly
Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court rules tht the search of the apartment that resulted in the police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence?
like vandalism, looting and people grabbing the opportunity
Fraud and Crime
All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming
Full
involve relocating personnel to the alternate site and shutting down operations at the primary site.
Full-interruption tests
Least privilege
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?
Segregation of duties matrix, used to prevent a user from acculmating two permissions that would create a potential conflict
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary designs the program, he uses the matrix shown below. What principle of information security does this matrix most directly help enforce?
Clearance and need to know
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to creat an account for a new user and assign privileges to the HR database. What wo elements of infomration must Gary verify before granting this access?
Two person control
Gary was recently hired as the first CISO for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?
Block UDP port 7 and 9 traffic from entering the network. Fraggle attacks uses UDP port 7 and 9
Gina is a firwall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the IDS, which reported that faggle attack was underway. Whatre FW configuration change can Gina make to most effectively prevent this attack?
Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belogning to the company
Gordon suspects that a hacker has penetrated a system belonging to his compay. The system doesn't contain any regulated information and Gordon wished to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?
attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person's reputation. The result of grudge attacks
Grudge Attacks
can often examine events in more detail than an NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker.
HIDS
monitors activity on a single computer, including process calls and information recorded in firewall logs.
HIDS Host-based IDS
Fully configured computer facility. All applications are installed, up to date mirror of the production system. For extremely urgent critical transaction processing.
HOT SITE - Internal/External
want to verify their skills as intruders
Hackers and crackers
(combination of hacker and activist), often combine political motivations with the thrill of hacking.
Hacktivists
a review of Personal computers & Smartphones
Hardware/ Embedded Device Analysis Forensic analysts often must review the contents of hardware and embedded devices. This may include
secondhand data not admissible in court
Hearsay
something a witness hears another one say. Also business records are hearsay and all that's printed or displayed.
Hearsay Evidence
Two person control
Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?
A centralized collection of honeypots and analysis tools
Honeyfarm
Two or more honeypots on a network
Honeynet
Decoy servers or systems setup to gather information regarding an attacker or intruder into your system
Honeypot
Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy malicious or unauthorized intruders, as a means of delaying their attempts to access production data/assets. A number of machines of this kind, linked together as a network or subnet, are referred to as a "honeynet."
Honeypots/honeynets
24/7 availability and exclusive use are assured. Short and long term.
Hot Site Advantage:
extra administrative overhead, costly, security controls needs to be installed at the remote facility too. Exclusive to one company hours to be up
Hot Site Disadvantage:
software component that manages the virtual components. The hypervisor adds an additional attack surface, so it's important to ensure it is deployed in a secure state and kept uptodate with patches, controls access to physical resources
Hypervisor
automates the inspection of logs and realtime system events to detect intrusion attempts and system failures.
IDS intrusion detection system
are an effective method of detecting many DoS and DDoS attacks.
IDSs
If desired, administrators can disable these extra features of an ______, essentially causing it to function as an IDS.
IPS
includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions.
IPS intrusion prevention system
labeling, recording serial number etc.
Identification
review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.
In other cases, forensic analysis may be asked to
conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities.
In some cases, when malicious insiders are suspected, the forensic analyst may be asked to
Hypervisor
In virtualization platofrms, what name is given to the model that is responsible for controlling access to physical resources by virtual resources?
Man-in-the-Middle (MITM)
In what type of attack do attackers manage to insert themselves into a connection between a user and a legitimate website?
Hypervisor
In what virtualization model do full guest operating systems run on top of a virtualization platform?
Public cloud
In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not the other's identity?
Response Capability (policy, procedures, a team), Incident response and handling (Triage, investigation, containment, and analysis & tracking), Recovery (Recovery / Repair), Debriefing / Feedback (External Communications)
Incident Response Lifecycle
ID the Scene Protect the environment ID evidence and potential sources of evidence Collect evidence - hash + Minimize the degree of contamination
Incident Scene Management
only modified files, archive bit cleared, Advantage: least time and space, Disadvantage first restore full then all incremental backups, thus less reliable because it depends on more components
Incremental
The party to party litigation costs resulting from its breach of warranties
Indemnification
cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem
Individual computing devices on a cluster vs. a grid system
A focused infrared (IR) light beam is projected from an emitter and bounced off of a reflector that is placed at the other side of the detection area
Infrared Linear Beam Sensors
Provide a quick way to disable a key by permitting one turn of the master key to change a lock
Instant Keys
unauthorized modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances
Integrity breaches
Evidence retrieval method, ultimately obtain a confession
Interrogation
gather facts and determine the substance of the case.
Interviewing
A technology that alerts organizations to adverse or unwanted activity
Intrusion Detection System (IDS)
can recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once an IDS detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack.
Intrusion Detection Systems
A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access.
Intrusion Prevention System (IPS)
a specific form of monitoring that monitors recorded information and realtime events to detect abnormal activity indicating a potential incident or intrusion.
Intrusion detection
A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access.
Intrusion detection system (IDS)
Middle East, Africa, Indonesia and USA
Islamite and other Religious laws
Netflow records. Contains a record of every network communication session, compare to a list of known malicious hosts.
Jim would like to identify compromiesed systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command and control servers. Which one of the following techniques would be most likely provide this information if Jim has access to a list known servers?
The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats.
Job rotation
Steganography
Joe is an investigator with a law enforcment agency. He recived a tip that a suspect is communicating sensitive information with a 3rd party via a message board. After obtaining a warrant for the message, he obtained the contents and found that teh message only contanins the image show in the figure below. If this is the sole content of teh communication, what techniques could teh suspect have used to embed sensitive infomraiton in the message?
No access
Joe is the security administrator fo an ERP system. He is preparing to create accounts for several new employees. What defualt access should he give to all of the new employees as he creates the accounts?
Interprets laws (makes common laws out of court decisions)
Judicial
The practice of only granting a user the minimal permissions necessary to perform their explicit job function.
Least privilege
writing laws (statutory laws)
Legislative
if no tampering is done with the alarm wires
Line supervision check
Data that are dynamic and exist in running processes or other volatile locations (e.g., system/device RAM) that disappear in a relatively short time once the system is powered down
Live evidence
audible alarm for at least 4000 feet far
Local alarms
perps leave something behind
Locard's Exchange Principle
States that when a crime is committed, the perpetrators leave something behind and take something with them, hence the exchange
Locard's exchange principle
Need to know
Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearnce, but ther is no business justifcation for the access. Lydia denies this request. What security principle is she following?
means, opportunity and motive
MOM (Determine suspects)
inserting bogus information to hope to mislead an attacker
Noise and perturbation
has all procedures on how the company will return processing from the alternate site
Normal Operations Resume plan
most preferred in the legal investigation is a bound notebook, pages are attached to a binding.
Notebook
use after initial use
Object reuse
audit trails and business records are not considered hearsay when the documents are created in the normal course of business.
One exception to business records
Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case.
Opinion Rule
CD/DVD. Inexpensive
Optical drive
(e.g., CDs, DVDs, Bluray discs)
Optical media
not best evidence though it may provide interpretation of documents, etc.
Oral
is a type of Secondary Evidence so the case can't simply stand on it alone
Oral Evidence
like Witness testimony
Oral evidence
used to document things such as contracts -NOTE: no copies!
Original documents
Rolling/mobile sites Mobile homes or HVAC trucks.
Other data center backup alternatives
Interfacing with other groups: everyone outside the corporation
Other recovery issues
used at the trial because it is the most reliable.
Primary Evidence
customer view taken into account
PROTOTYPING
involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also
Parallel tests
RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives.
Parity bits
no battery, uses power of the field
Passive device
detects changes in temperature
Passive infrared
An update/fix for an IT asset.
Patch
operators, management, technical support persons
People
lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
Permissible
dumb cards
Photo id card:
light beams interrupted (as in an store entrance)
Photoelectric
It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.
Potential for sabotage
alarm systems needs separate circuitry and backup power
Power supplies
Accounts granted greater privileges than normal user accounts when it is necessary for the user to have greater control over the system, but where administrative access is not required
Power users
A very cold site.
Prefabricated buildings
collection, reconstruction
Preserved and identifiable
ordinary door lock
Preset
combination or electrical lock
Programmable
owned and operated by the customer. System provides many of the features in-house
Proprietary systems
Identifies any unacceptable deviation from expected behavior based on known network protocols
Protocol Anomaly-Based IDS
Use embedded antenna wires connected to a chip within the card through RF.
Proximity Card (prox cards)
false vulnerability in a system that may attract an attacker
Pseudo flaw
degaussing or overwriting to be removed
Purging
Data encryption
Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes?
one large disk out of several -Improved performance but no fault tolerance
RAID 0 Striped
fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed
RAID 1 Mirrored drives
not used commercially. Hammering Code Parity/error
RAID 2
Striped on byte level with extra parity drive -Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives
RAID 3
(for later review) = detective control
Recording
Essential activities to protect business information and can be established in compliance with laws, regulations, or corporate governance
Records and Information Management (RIM)
system should restart in secure mode Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals
Recovery procedures
mandated to implement recovery after the declaration of the disaster
Recovery team
Mirrored site, potential 0 down time
Redundant
applies raid 1 mirroring concept to servers. On error servers can do a failover. This AKA server fault tolerance
Redundant servers
Failover cluster
Referring to the figure below, what technology is shown that provides fault tolerance for the database servers?
Expected findings
Reggie recently received a letter from his company's interal auditors scheduling the kickoff meeting for an assessment of his group. Which of the following should Reggie not expect to learn during that meeting?
relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts
Relevant
consistent with fact, evidence has not been tampered with or modified
Reliable
The measure of the existing magnetic field on the media after degaussing
Remanence
parallel processing of transactions to an alternative site via communication lines
Remote Journaling
PaaS
Renee is a software developer who writes code in Node.js for her organization. The company is consdiering moving from a self hosted Node.js environment to one where Renee will run her code on application servers managed by a cloud vendor. What type of cloud solution is Renees's company considering?
The science of hiding information
Steganography
Documenting the Plan Activation and recovery procedures Plan management HR involvement Costs Required documentation Internal /external communications Detailed plans by team members
Steps for DRP
Prepare questions and topics, put witness at ease, summarize information -interview/interrogation plan Have one person as lead and 12 others involved as well never interrogate or interview alone
Steps for Due Process
RAID technique; writing a data set across multiple drives.
Striping
persuasive enough to convince one of its validity
Sufficient
paper, forms HVAC Documenting the continuity strategy
Supplies and equipment
when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.
System cold start
System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources
System reboot
1. Rebooting system in single user mode or recovery console, so no user access is enabled 2. Recovering all file systems that were active during failure 3. Restoring missing or damaged files 4. Recovering the required security characteristic, such as file security labels 5. Checking security critical files such as system password file
System recovery after a system crash
members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.
Tabletop exercise
sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries
Tape
GF/Father/Son, Tower of Hanoi, Six Cartridge Weekly
Tape Rotation Schemes
focus on locks, cameras guards
Target Hardening
the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.
Techniques used for media analysis
walls fences flags
Territorial Reinforcements
purpose of a terrorist attack is to disrupt normal life and instill fear
Terrorist Attacks
one of their 5 senses
Testimony from a witness
been returned to their normal location and function (data verified at primary site as accurate)
The disaster is not over until all operations have
meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
The evidence must be competent
Identifies any unacceptable deviation from expected behavior based on actual traffic structure
Traffic anomaly-based IDS
Buffer overflow
The historic ping of death attack is most simliar to which of the following model attack types?
Script kiddies
The main motivation behind these attacks is the "high" of successfully breaking into a system
collect and correlate information from these disparate sources and produce as comprehensive a picture of network activity as possible.
The task of the network forensic analyst
give legal backing to the previously questionable practices of shrink-wrap licensing and clickwrap licensing by giving them status as legally binding contracts.
The terms of UCITA
Business Attacks (BA)
The use of the information gathered during the attack usually causes more damage than the attack itself.
provide alternate backups and processing facilities. Most common of implementations!
Third party, commercial services
are the attacks launched only for the fun of it. Pride, bragging rights
Thrill attacks
Media analysis
Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that teh user attempted to erase the data, and Time is trying to reconstruct it. What type of forensic analysis is Tim performing?
Immediately begin preserving evidence
Timber Indisturies recently go into a dispute with a customer. During a meeting with his account represetative, the customer stood up and declared, "There is no other solution. We will have to take this matter to court." He then left the room. When does Timber Industries have an obligation to begin preserving evidence?
Send induced radio frequency (RF) signals down a cable that is attached to the fence fabric
Time domain Reflectometry (TDR)
Change log
Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system's security settings. Where would he most likely find this information?
Toni's computer is part of a botnet
Toni responds to the desk of a user who reports slow system activity. Upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user doesn't use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic?
Electronic vaulting, automated DB backup approach, DB backups are moved from primary to remote server on scheduled daily basis.
Veronica is considering the implementation of a database recovery mechanism recommeded by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an offisite location each night. What type of database recovery technique is the consultant describing?
Cross between hot and cold site. The computer facility is available but the applications may not be installed or need to be configured. External connections and other data elements that take long time to order are present. Workstations have to be delivered and data has to be restored.
WARM SITE
hanging lock with a key
Warded lock
min 2 disk required for RAID 1
What is the minimum number of disks required to implement RAID level 1?
Fourth Amendment
What legal protection prevents law enforcement agencies from searching a facility or electronic system without either probable cause or consent?
RAID-1 = disk mirroring
What level of RAID is also known as disk mirroring?
Sandboxing
What technique can application developers use to test application in an ioslated virtualized environment before allowing themon a production network?
Watermarking
What technique has been used to protec teh IP in the image shown below?
Entitlement, privileges granted to user when account is first created/provisioned
What term is used to describe the default set of privileges assigned to a user when a new account is created?
SYN Flood attack
What type of attack is show in the figure below
Parallel test
What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running?
Real evidence (Documentary-written items may or may not be in tangible form, Testimonial-verbal given by witness with relevant testimony, Parol-agreement is put into written form, all terms of agreement
What type of evidence consists entirely of tangible items that may be brought into a court of law?
Transitive trusts
What type of trust relationship extends beyond the two domains participating in the trust to on or more of their subdomains?
Separation of duties
When designeing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assigne superuse privleges to an account. What information security principle is Hilda following?
don't use message digest because it will change the timestamps of the files when the filesystem is not set to ReadOnly
When investigating a hard drive
All of the above. When a user leaves the company, roles change, regular and recurring basis
When should an organization conduct a review of the privileged access that a user has to sensitive systems?
Transformer failure
Which of the following is an example of a manmade disaster?
The code applies to all members of the information security profession
Which of the following is not ture about the ISC2 code of ethics?
I, III, IV
Which of the following organizations would be likely to have a representative on CSIRT? I. Information security, II. Legal Counsel, III. Senior mgmt, IV. Engineering
I, II, III, IV
Which of the following would normally be considered an example of a disaster when performing diaster recovery planning? I. Hacking incident, II. Flood, III. Fire, IV. Terrorism
Service Level Agreement (SLA)
Which one fo the following types of agreements is the most formal document that ocntains expecations about availability and other performance parameters between a service provider and a customer?
Generators
Which one of the following controls protects an organization in the event of a sustainied period of power loss?
Restoring operations in the primary facility
Which one of the following events marks the completion of a DRP?
All of the above 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.
Which one of the following events would constitute a security incident? 1. An attempted network intrusion, 2. A successful database intrusion, 3. A malware infection, 4. A violation of a confidentiality policy, 5. An unsuccessful attempt to remove information from a secured area.
ITIL
Which one of the following frameworks focuses on IT service mgmt and includes topics such as change mgmt, config mgmt, and SLAs?
Government agent
Which one of the following individuals is most likely to lead a regulatory investigation?
CVE, dictionary with common security related issues
Which one of the following information sources is useful to security administrators seeking a list of information security vulnerabilities in applications, devices and operating systems?
Unauthorized vulnerability scan of a file server
Which one of the following is an example of computer security incident?
Conduct forensic imaging of all systems
Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?
Promptly report security vulnerabilites to relevant authorities
Which one of the following is not a canon of the ISC2 code of ethics?
Logging into a workstation
Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?
Meet in the middle
Which one of the following is not an example of a backup tape rotation scheme?
The evidence must be tangible
Which one of the following is not requirement for evidence to be admissible in court?
Incident response
Which one of the following mechanisms is not commonly seen as a deterrent to fraud?
Pseudoflaw, false vulnerability in a system that may attract an attacker.
Which one of the following might a security team use on a honeypot system to consume an attacker's time while alerting administrators?
Darknet
Which one of the following security tools consists of an unused network address space that may detect unauthorized activity?
An attack previously unknown to the security community
Which one of the following statements best describes a zero-day vulnerability?
Intercepting and modifying or discarding commands sent to the storage device
Which one of the following tasks is performed by a forensic disk controller?
Reformatting
Which one of the following techniques is not commonly used to remove unwanted remnant data from magentic tapes?
Sampling, uses statistical techniques to choose a sample representative of the entire pool.
Which one of the following techniques uses statistical methods to select a small number of records from a large pool for further analysis with the goal of choosing a set of records that is represetative of the entire pool?
RFID
Which one of the following technologies would provide the most automation of an inventory control process in a cost effective manner?
Service pack
Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?
Baseline configuration
Which one of the following tools helps systems administrators by providing a standard, secure template of configuration setting or operating systems and applications?
Software Escrow agreements, places a copy of the source code for software to a 3rd party, who will turn code over to customer if business ops stops.
Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business?
Traffic with a destination address on a external network
Which one of the following traffic types should not be blocked by an organization's egress filtering policy?
Manual recovery, system doesn't fail into secure state but requires administrator to manually restore operations
Which one of the following trusted recovery types doesn't fail into a secure operating state?
Malicious insider
Which one of thef ollowing individuals poses the greatest risk to security in most well-defended organizations?
IDS
Which one the following secuirty tools is not capable of generating an active response to a security event?
User activated System sensing
Wireless proximity cards
Netflow data
You are performing an investigation into a potential bot infection on your network an sish to perform a forensic analysis of the information that passed between different systems on your network and those on the Internet. You believe tht teh information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?
0.005
You are working to evaluate the risk of flood to an area and consult flood maps from FEMA. According to those maps, the area lies within a 200 year flood plain. What is the ARO of a flood in that region?
Plan for _______________________ maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation
emergency response backup operations and post disaster recovery
detects motions
wave pattern motion detectors