Domain 7 - Security Operations Flashcards Preview

CISSP - 2018 > Domain 7 - Security Operations > Flashcards

Flashcards in Domain 7 - Security Operations Deck (42)
Loading flashcards...
1
Q

The following represent what?

  1. Administrative
  2. Criminal
  3. Civil
  4. Regulatory - Gov Agency Investigation
  5. Industry Standards - Electronic Discovery
A

Investigation types

2
Q

The following is what in regards to Forensics Techniques / evidence?

  1. must be relevant to determining fact
  2. the fact must be material relevant to the case
  3. must be competent, must have obtained legally
A

admissible evidence

3
Q

What are the three types of evidence that can be used in a court of law?

A
  1. Real Evidence - Physical items that are brought into court and can be seen/examined
  2. Documentary Evidence - Written items brought into court to prove a face about the case
    Best Evidence Rule
    Parol Evidence Rule
  3. Testimonial Evidence - Testimony of a witness
    Direct
    Expert
    Hearsay
4
Q

Documents the evidence lift cycle from discovery and collection through analysis and storage to reporting and presentation.

A

Chain of Evidence

a. general description
b. time and date
c. exact location
d. name of the person collecting evidence
e. relevant circumstances surrounding collection

5
Q

What do the following steps represent in regards to Investigations?

  1. Call in Law Enforcement
  2. Gather evidence
  3. Conduct Investigation
  4. Interview Individuals
  5. Report on and document Investigation
A

Investigative Process

6
Q

TRUE / FALSE

IDS = PASSIVE
IPS = ACTIVE
A

TRUE

IPS has the ability to take action such as re configuring a firewall to block a threat. IDS can only send alerts which doesn’t qualify as taking action.

7
Q

Ensures no single person has total control

A

Separation of duties

8
Q

Applies concept of least privilege to applications and processes

A

Separation of privileges

9
Q

Separation of duties + least privilege

Designated to guard against excessive system access to prevent conflicts of interest

A

Segregation of Duties

10
Q

Activity requires the approval of two people to be carried out

A

Two Person Control (Rule)

11
Q

Separation of Duties + Two Person Rule

A

Split-Knowledge

12
Q

Move people through various jobs / tasks to spread knowledge & responsibility

a. mandatory vacations

A

Job Rotation

Mandatory Vacations classified as a form of Job Rotation

13
Q

What do the following represent?

a. Create of Capture
b. Classification
c. Storage
d. usage
e. archive
f. Destruction or purging

A

Information Lifecycle Phases

14
Q

Document describing the level of service expected by a customer

A

SLA - Service Level Agreement

OLA - Internal facing SLAs. (Example: IT and Sales)

Examples:
MOU - Memorandum of Understanding
ISA - Interconnection Security Agreement

15
Q

What do the following steps represent?

  1. Detection
  2. Response
  3. Mitigation
  4. Reporting
  5. Recovery
  6. Remediation
  7. Lessons Learned
A

Incident Response Process

16
Q

Mantra of the CSIRT (Computer Incident Response Team) is what?

A

Isolation is good. Powering off is bad.

17
Q

Smurf vs Fraggle Attacks

Which uses ICMP and Which uses UDP?

A

SMURF = ICMP

FRAGGLE = UDP

18
Q

Firewalls:

Stateful = \_\_\_\_\_\_\_
Stateless = \_\_\_\_\_\_\_
A

Stateful = Dynamic (Looks at packets as they come through and keeps record of them so it can get the bigger picture)

Stateless = Static

19
Q

What do these steps represent in regards to patching?

Evaluate
Test
Approve
Deploy
Verify deployment
A

Patch Management Process Flow

20
Q

Helps reduce unanticipated outcomes due to unauthorized activity

A

Change Management

21
Q

Evaluation of proposed changes to identify potential security issues PRIOR to implementation

A

Security Impact Analysis

22
Q

What does the following process represent?

  1. Request for Change (RFC)
  2. Review of the change by the Change Advisory Board (CAB)
  3. Approval / Rejection of Change
  4. Test Approved Change (s)
  5. Schedule and Release (Implement | Deploy)
  6. Document the change
A

Change Management Process

23
Q

Match the Term to the correct definition:

Mirror Backup
Full Backup
Incremental Backup
Differential Backup

_______: Captures your entire system and all the data you want to protect. If done frequently, these result in easier recovery operations.

_______: Creates a Mirror copy of the source data. when a source file is deleted it is also deleted from the mirror backup automatically.

_______: Captures only the changes made since the last FULL or incremental backup. Saves both time and storage space. Files with their archive bit set to 1 (enabled) are backed up. Once complete, the archive bit on ALL files is reset and turned off

_______: Captures only the changes made since the last FULL backup, not since the last differential backup. All files with their archive bit enabled are backed up but the archive bit IS NOT reset once files are backed up.

A

FULL : Captures your entire system and all the data you want to protect. If done frequently, these result in easier recovery operations.

MIRROR : Creates a Mirror copy of the source data. when a source file is deleted it is also deleted from the mirror backup automatically.

Incremental : Captures only the changes made since the last FULL or incremental backup. Saves both time and storage space. Files with their archive bit set to 1 (enabled) are backed up. Once complete, the archive bit on ALL files is reset and turned off

Differential : Captures only the changes made since the last FULL backup, not since the last differential backup. All files with their archive bit enabled are backed up but the archive bit IS NOT reset once files are backed up.

24
Q

Employed for applications that cannot accept any downtime without negatively impacting the organization.

A

Redundant Center

!!NO TIME SPENT OFFLINE !!!

Advantages:

Little or no downtime
ease of maintenance
No recovery required

Disadvantages

Most expensive
Requires redundant hardware
distance limitations

25
Q

Standby ready with ALL the technology and equipment necessary to run the applications positioned there.

Quickest Recovery
Most Expensive
Operational within hours

A

Hot Site

No more than 1 business day offline

26
Q

A Facility that is PARTIALLY configured with some data center support infrastructure, such as HVAC, computers, etc.

A

Warm Site

a few days offline

27
Q

A shell or EMPTY data center space with no technology on the floor.

A

Cold Site

weeks to months offline

28
Q

Database backups are moved to a remote site using a bulk transfer capability.

A

Electronic Vaulting

29
Q

Quicker version of electronic vaulting using bulk transfers of data, but more frequently

A

Remote Journaling

30
Q

The ability of a system to suffer a fault but continue to operate

A

Fault Tolerance

31
Q

Not powered up but is a duplicate of the primary component that can be inserted into a system if needed

A

Cold Spare

32
Q

Already inserted in the system but do not receive power unless s they are required. These components need to be configured.

A

Warm Spare

33
Q

Inserted into the system and powered on. These components are ready to go

A

Hot Spare

34
Q

Includes two or more servers, allowing a failure of one to be “taken on” by the surviving members of the cluster via a failover process.

A

Failover Cluster

35
Q
Spike
Surge
Transients
Brownout
Sag
  • a quick instance of an increase in voltage
  • a quick instance of a decrease in voltage
  • an increase in power that is prolonged
  • a decrease in power that is prolonged
  • noise on the power lines
A

Spike - a quick instance of an increase in voltage

Sag - a quick instance of a decrease in voltage

Surge - an increase in power that is prolonged

Brownout - a decrease in power that is prolonged

Transients - noise on the power lines

36
Q

What level of RAID is defined below:

Writes files in stripes across multiple disks without the use of parity information. NOT FAULT TOLERANT

A

RAID 0

37
Q

What level of RAID is defined below:

Duplicates all disk writes from one disk to another to create two identical drives.

Very costly from a drive space perspective since half of the available disk is given to mirroring.

A

RAID 1

38
Q

What level of RAID is defined below:

Requires three or more drives to implement. Striping or data like in RAID 0, with redundancy in the form of a dedicated parity drive.

A

RAID 3

39
Q

What level of RAID is defined below:

Also requires three or more drives to implement. The big difference is how parity information is stored.

Rather than using a dedicated parity drive, data and parity information is striped together across all drives.

This level is most popular and can tolerate the loss of any one drive since the parity information on the other drives can be used to reconstruct the lost one.

A

RAID 5

40
Q

What level of RAID is defined below:

Configured as two or more mirros in a stripe.

Also known as RAID 10

A

RAID 1+0

41
Q

Bringing operations back to a working state

A

Recovery

42
Q

Bringing a facility back to a working state

A

Restoration