Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
130 Cards in this Set
- Front
- Back
What is it called when you grant access only for what is needed to perform the task? |
Need to Know |
|
What is it called when privileges are granted necessary to perform the task and no more? |
Least Privilege |
|
What is the amount of privilege granted? |
Entitlement |
|
What is the amount of privileges collected over time? |
Aggregation |
|
What extends a trust relationship between two security domains to all of their sub domains? |
Transitive Trust |
|
True or False. Nontransitive trust enforces the principle of least privilege. |
True |
|
What establishes granular rights across apps and processes and uses least privilege to separate responsibilties? |
Separation of privileges |
|
What is applying least privilege to separation of duties to prevent fraud? |
Segregation of duties |
|
What should be the default level of access? |
No access |
|
What is an agreement between 2 parties to abide by agreed upon rules when transmitting sensitive data back and forth? |
Interconnection Security Agreement |
|
What is a button that sends a distress call? |
Duress system |
|
What runs as guest OS's on physical servers? |
VMs |
|
What manages the VM environment? |
Hypervisor |
|
What should you do with reusable media that has hit its MTTF (mean time to failure)? |
Destroy it |
|
What are these characteristics of? Broad network access; rapid elasticity; measured service; on-demand self-service. |
Cloud computing |
|
What is a new class of tools that can detect access to, and usage of, cloud-based services? |
CASB (Cloud Access Security Brokers) |
|
What ensures systems are deployed in a consistent state and maintain that state throughout its lifetime? |
Configuration management |
|
True or False. The primary goal of change management is to ensure that changes do not cause outages (availability). |
True |
|
Usability and security often conflict. What ensures you take the time to evaluate the trade offs? |
Change management |
|
What is the change management process? |
Request > Review > Approve/Reject > Implement > Document |
|
What is patch Tuesday and exploit Wednesday? |
Attackers expect patching delays, so they reverse engineer the patch released on Tuesday and start attacking on Wednesday. (MSFT releases patches every Tuesday) |
|
What is the most common vulnerability in a company? |
Unpatched systems |
|
What is the primary goal of incident response? |
Minimize impact |
|
Who are typically the first responders to a security incident in an organization? |
IT |
|
What is an indirect attack where traffic or networks are reflected back to a system from other sources? |
DRDoS Distributed Reflective Denial of Service |
|
What common DoS attack disrupts the 3 way communication handshake? Sends many SYN's without ever sending ACK. |
SYN Flood Attack |
|
What attack is it where attackers send echo requests as broadcast to all systems on the network while spoofing the source? They all respond to the victim at once. You can prevent this by setting routers not to broadcast. |
Smurf Attack |
|
What attack floods a victim with ping requests (thousands of systems simultaneously ping a system via botnets). Block with IDS that can block ICMP (internet control message protocol) traffic. |
Ping Flood Attack |
|
What are computers (aka zombies) that act like robots that do what the attacker tells them to do. |
Botnets |
|
True or False. Computers join botnets after being infected. Block them with up to date anti malware and patched systems along with updated browsers and their plug-ins. |
True |
|
What famous botnet attack was used to collect credentials to financial systems? It distributed the CryptoLocker ransomware and infected up to 1 million systems. Operation Tovar (an international law enforcement team) cut off its communication, but it's growing again. |
Gameover Zues (GOZ) |
|
What attack changes the normal 32 or 64 bytes ping packets to something larger causing a system crash or buffer overflow? Is easily blocked with up to date patches. |
Ping of Death attack |
|
What attack fragments traffic to render it unreadable (system can't put it back together again)? |
Teardrop attack |
|
What attack sends spoofed SYN packets using the victims IP address as both source and destination tricking the system to constantly reply to itself? |
Land attack |
|
What is the most common form of security breach today? |
Malware (aka malicious sw, malcode, etc) |
|
True or False. Years ago, floppy disks were most common means of distributing malware. Then it was email. Now it is drive by download. |
True |
|
What is using a modem to find a system that accepts inbound connections? |
War dialing |
|
What is a malicious act of gathering proprietary info about an organization? |
Espionage |
|
What is the difference between an IDS (intrusion detection system) and an IPS (intrusion prevention system)? |
IDS detects intrusions by looking at logs & real-time events and IPS does IDS & stops/prevents the intrusion. IDS is not placed in line with traffic, IPS is. |
|
What kind of intrusion detection uses signatures (db of known attacks)? |
Knowledge-based detection |
|
What kind of intrusion detection compares activity against a baseline of normal performance? (Has a high amount of false alarms) |
Behavior-based detection |
|
What are IDS's 2 response options? |
1. Passive response (log event and send notification) 2. Active response (changes environment to block the activity as well as log and send notifications) |
|
What IDS monitors a single computer, but is costly to manage and can't always tell if an attack was successful? |
Host-based IDS (HIDS) |
|
What IDS monitors a network, but cannot monitor encrypted traffic? |
Network-based IDS (NIDS) |
|
What is the portion of IP addresses on a network called that are not used; require special SW or authorization to access and uses non-standard protocols? |
Darknet |
|
What are computers created as a trap for intruders called? |
Honeypots |
|
What are 2 or more networked honeypots called? (Used to simulate a network) |
Honeynet |
|
True or False. The goal of honeypots/nets is to attract the attention of attackers away from the real data. You can entice, but not entrap (solicit attackers to it). |
True |
|
What is similar to the honeypot, but performs intrusion isolation by transferring the intruder to a simulated environment? |
Padded Cell |
|
What is another name for pen testing? |
Ethical hacking |
|
What type of logs record what sites users visit and how much time they spent there? |
Proxy logs |
|
What is a central application that automatically monitors systems on a network and logs events? |
SIEM (Security Information and Event Mgmnt) |
|
What is monitoring outgoing traffic to prevent data exfiltration called? |
Egress monitoring |
|
What solution detects and blocks data exfiltration? |
DLP (Data Loss Prevention) |
|
What DLP scans all outgoing data on the network looking for specific data? |
Network-based DLP |
|
What DLP scans files stored on a system? |
Endpoint-based DLP |
|
What type of security control is an audit trail, Detective or Administrative? |
Detective |
|
True or False. The goal of disaster recovery planning is to restore normal business activity. Your DRP should be able to almost run on autopilot with minimal decisions needing made during a disaster. |
True |
|
What is the goal of system resilience and fault tolerance? |
Eliminate single points of failure |
|
What is the difference between Read-through and Walk-through DRP testing? |
Read-through is where an individual reviews the DRP documents. Walk-through is where several folks gather and go through it |
|
What DRP testing is where all designated disaster recovery personnel go through the motions as if it were a real recovery? |
Simulation test |
|
What is the assurance that a system is secure after a failure? |
Trusted recovery |
|
What is the difference between fail open and fail secure? |
System fails in an insecure state with fail open (all access is open). It fails in a secure state with fail secure. (Your choice depends on whether security or availability is most important) |
|
When you configure the system to reboot from a failure into a single user, non-privileged state, what are you implementing? |
A Trusted Solution |
|
What type of recovery does not fail in a secure state? Instead, an admin manually resets the system to a secure state. |
Manual recovery |
|
What type of recovery is where the system restores itself to a trusted state? |
Automated recovery |
|
What type of recovery is where the system restores itself to a trusted state and restores data or verifies key system components? |
Automated recovery without undue loss |
|
What type of recovery is where the system automatically recovers specific functions (e.g. roll back to last known secure state)? |
Function recovery |
|
What should you use to help you identify how much of a business unit/business function to recover 1st, 2nd and so on in a disaster? |
Business Impact Assessment (BIA) report |
|
What are standby facilities to keep the business running during a disaster manually? No computing is pre-installed. Takes weeks to activate, but is the cheapest option. |
Cold sites (redundant fail over recovery site) |
|
What disaster recovery site contains data links and equipment; takes ~12 hours to activate as you transport backup media to the site and get operations going again? |
Warm site |
|
What disaster recovery site is most expensive as it fully replicates your business? Takes 1-2 hours to activate. |
Hot site |
|
What are self-contained trailers set up to keep a specific business function operating? Can be set up as 'fly away' so they are ready to deploy at any location. Are usually configured as cold or warm sites. |
Mobile sites |
|
What is it when 2 companies pledge availability to the other in case of emergency? |
Reciprocal site |
|
In db recovery, what is it where db backups are moved to a remote site using bulk transfers (can result in significant delay when recovering)? |
Electronic vaulting |
|
In db recovery, what is it where you perform bulk data transaction transfers on a more frequent basis than electronic vaulting? |
Remote journaling |
|
In db recovery, what is the most advanced and expensive option where a live db is maintained real time at the back up site? |
Remote mirroring |
|
True or False. You should put the most essential task (e.g. activate the building alarm) first on the disaster recovery plan checklist. |
True |
|
What is the most important tool in the disaster recovery plan? |
The checklist. Because it provides a sense of order which is needed in a chaotic scenario. |
|
What document do you give to public relations and others needing a high level summary of your disaster recovery efforts while they are underway? |
Executive Summary |
|
What backup type is a complete copy of data? It resets the archive setting. |
Full backup |
|
What backup type stores only files that have been modified since the last incremental or full backup? It resets the archive setting. |
Incremental backup |
|
What backup type stores only files that have been modified since the last full backup? Does not reset the archive setting. |
Differential backup |
|
What is the quickest way to create a backups? |
Combine full and incremental backups |
|
What provides the quickest restoration time? |
Combine full backup with differential backups |
|
What is the biggest obstacle when it comes to abiding by a back up strategy? |
Human nature |
|
What is the difference between recovery and restoration? |
Recovery is bringing the business operation back to a working state. Restoration is bringing the facility and environment back to a working state. |
|
What investigation type's scope is computing infrastructure and its goal is resolving operational issues like performance? You use root cause analysis here. |
Operational investigation |
|
What investigation type's scope is violation of criminal law and is usually conducted by law enforcement? Must meet beyond a reasonable doubt |
Criminal investigation |
|
What investigation type's scope is disputes between 2 parties and is conducted by employees or a 3rd party on behalf of a legal team? Must meet preponderance of evidence... meaning, more likely than not |
Civil investigation |
|
What investigation type's scope is individual or corporate violations of administrative law and is conducted by the government? |
Regulatory investigation |
|
What are the 9 steps of the Electronic Discovery Reference Model (steps for conducting eDiscovery) |
1. Information Governance 2. Identification 3. Preservation 4. Collection 5. Processing (rough cut) 6. Review 7. Analysis (deeper review) 8. Production 9. Presentation |
|
What kind of evidence must be relevant, material (applicable), and competent (obtained legally)? |
Admissible evidence |
|
What type of evidence is physical evidence? Can also be conclusive evidence, such as DNA. Must be authenticated. |
Real (Object) evidence |
|
What is evidence that has been reproduced from an original? A copy of an original documentation, as an example. |
Secondary evidence |
|
What evidence rule says 'use the original document'? |
Best evidence rule |
|
What evidence rule is it where the document contains all of the agreement, no verbal agreements can modify it? |
Parol evidence rule |
|
What type of evidence is written? Has to be relevant, competent, material, and meet Best evidence & Parol rules. |
Documentary evidence |
|
When an object cannot be authenticated, this documents everyone who handled the evidence. |
Chain of evidence (custody) |
|
What type of evidence is testimony of a witness (must not be hearsay)? |
Testimonial evidence |
|
What should you do when working with digital evidence? |
Use a copy to keep the original in original condition. |
|
What are the 6 principles for collecting forensically recovered electronic evidence created by IOCE (International Organization on Computer Evidence)? |
1. Use all general forensic principles to it 2. Do not change it 3. Only trained personnel access it 4. Document the activity of collecting and processing it 5. Whom has possession of it is responsible for it 6. Agencies involved must comply with these principles |
|
What category of computer crime is seeking secret and restricted information from law enforcement or military? |
Military and Intelligence attacks |
|
What category of computer crime is seeking organizations confidential information (industrial espionage)? |
Business attacks |
|
What category of computer crime is seeking money or services from anyone? |
Financial attacks |
|
What category of computer crime is seeking to disrupt normal life and instill fear? |
Terrorist attacks |
|
What category of computer crime is seeking to disrupt a corporation or a person? |
Grudge attacks |
|
What category of computer crime is seeking fun (hactivist)? |
Thrill attacks |
|
What is the most common reason incidents are not reported? |
They are not identified. |
|
What are the 4 primary / high level responsibilities of a CIRT (computer incident response team) / CSIRT (computer security incident response team)? |
1. Determine scope of damage 2. Determine if confidential data was compromised 3. Implement recovery procedures 4. Make sure it can't happen again |
|
What are the 3 steps in the incident response process? |
1. Detect and identify (inform appropriate personnel) 2. Respond and report (to mgmnt) 3. Recover and remediate (lessons learned) |
|
How many primary categories do business disasters, that cause critical outages, generally fall into? |
3. Humans, elements and physical surroundings |
|
Is Exposure Factor considered subjective or objective? |
Subjective. EF is based on theorized analysis and data believed to be applicable. |
|
What risk assessment deals with straight mathematical evaluations? |
Quantitative. There are 3 approaches to risk assessment, quantitative, qualitative and semi-quantitative |
|
What type of evidence doesn't allow evidence of prior oral agreements that occurred before or while the agreement was being formed? |
Parol evidence |
|
What is a loophole deliberately implanted as a trap for intruders? |
Pseudoflaw |
|
What investigative device intercepts and modifies or discards commands sent to a storage device? |
Forensic disk controller |
|
Which is more formal, SLA or OLA? |
SLA is a contract between a service provider and a customer while OLA is an agreement between operation groups in an organization. |
|
What is the key difference between remote journaling and electronic vaulting? |
Remote journaling sends transactions to a remote site frequently while electronic vaulting sends full db of data to a remote site less frequently. |
|
What DoS attack sends a large amount of spoofed UDP traffic? |
Fraggle attack |
|
What separates the control plane from the data plane in virtual and non-virtual environments? |
SDN. Software defined networking |
|
What contains an entry for every network communication session and can be used to compare to a list of known malicious hosts? |
Netflow records |
|
Is a hacking incident considered a disaster when performing disaster recovery planning? |
Yes |
|
Would you expect a member of senior management to be part of a CSIRT? |
Yes |
|
What describes the default set of privileges assigned to a user when a new account is created, baseline or entitlement? |
Entitlement |
|
What is the difference between steganography and watermarking? |
Steganography is used to hide information in a file, like a picture. Watermarking also manipulates a picture but does so to protect intellectual property, such as a logo. Can be visible or invisible. |
|
During which phase do administrators take action to limit the effect or scope of an incident, Response or Mitigation? |
Mitigation, because that is the phase where action is taken to contain damage. |
|
2 methods for choosing records from a large set, sampling and clipping. Which one uses thresholds to select records and which one uses statistical techniques? |
Sampling uses statistical techniques and Clipping uses thresholds |
|
True or False. In IaaS, the vendor is responsible for the HW and network? |
True. You would still be responsible for patching systems on your virtual systems. |
|
What is the only sw license that has no restrictions? You can copy, modify and resell it. |
Public domain. Open source has some restrictions |