Chapter 7: Security Operations (Domain 7) 389
- D. Any attempt to undermine the security of an organization or violation of a security
policy is a security incident. Each of the events described meets this definition and should
be treated as an incident. - D. Egress filtering scans outbound traffic for potential security policy violations. This
includes traffic with a private IP address as the destination, traffic with a broadcast
address as the destination, and traffic that has a falsified source address not belonging to
the organization. - C. The two main methods of choosing records from a large pool for further analysis are
sampling and clipping. Sampling uses statistical techniques to choose a sample that is
representative of the entire pool, while clipping uses threshold values to select those records
that exceed a predefined threshold because they may be of most interest to analysts. - B. Netflow data contains information on the source, destination, and size of all network
communications and is routinely saved as a matter of normal activity. Packet capture data
would provide relevant information, but it must be captured during the suspicious activity
and cannot be re-created after the fact unless the organization is already conducting 100
percent packet capture, which is very rare. Additionally, the use of encryption limits the
effectiveness of packet capture. Intrusion detection system logs would not likely contain
relevant information because the encrypted traffic would probably not match intrusion
signatures. Centralized authentication records would not contain information about
network traffic.
7 7. C. Baseline configurations serve as the starting point for configuring secure systems
and applications. They contain the security settings necessary to comply with an
organization’s security policy and may then be customized to meet the specific needs of an
implementation. While security policies and guidelines may contain information needed
to secure a system, they do not contain a set of configuration settings that may be applied
to a system. The running configuration of a system is the set of currently applied settings,
which may or may not be secure.
- B. During a parallel test, the team actually activates the disaster recovery site for testing,
but the primary site remains operational. During a full interruption test, the team takes
down the primary site and confirms that the disaster recovery site is capable of handling
regular operations. The full interruption test is the most thorough test but also the
most disruptive. The checklist review is the least disruptive type of disaster recovery
test. During a checklist review, team members each review the contents of their disaster
recovery checklists on their own and suggest any necessary changes. During a tabletop
exercise, team members come together and walk through a scenario without making any
changes to information systems. - C. Both the receipt of alerts and the verification of their accuracy occur during the
Detection phase of the incident response process. - A. Virtual machines run full guest operating systems on top of a host platform known as
the hypervisor. - B. RAID level 1 is also known as disk mirroring. RAID-0 is called disk striping. RAID-5
is called disk striping with parity. RAID-10 is known as a stripe of mirrors.