Domain 7: Security Operations
Real evidence consists of things that may actually be brought into a courtroom as
evidence. For example, real evidence includes hard disks, weapons, and items containing
fingerprints. Documentary evidence consists of written items that may or may not be in
tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant
information. The parol evidence rule says that when an agreement is put into written
form, the written document is assumed to contain all the terms of the agreement
Hotfixes, updates, and security fixes are all synonyms for single patches designed to
correct a single problem. Service packs are collections of many different updates that serve
as a major update to an operating system or application
Darknet is a monitored network without any hosts.
A darknet is a segment of unused network address space that should have no network
activity and, therefore, may be easily used to monitor for illicit activity. A honeypot is a
decoy computer system used to bait intruders into attacking. A honeynet is a network
of multiple honeypots that creates a more sophisticated environment for intruders to
explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker.
The Common Vulnerability and Exposures (CVE) dictionary contains standardized
information on many different security issues. The Open Web Application Security
Project (OWASP) contains general guidance on web application security issues but does
not track specific vulnerabilities or go beyond web applications. The Bugtraq mailing list
and Microsoft Security Bulletins are good sources of vulnerability information but are not
comprehensive databases of known issues.
The checklist review is the least disruptive type of disaster recovery test. During
a checklist review, team members each review the contents of their disaster recovery
checklists on their own and suggest any necessary changes. During a tabletop exercise,
team members come together and walk through a scenario without making any
changes to information systems. During a parallel test, the team actually activates the
disaster recovery site for testing, but the primary site remains operational. During a full
interruption test, the team takes down the primary site and confirms that the disaster
recovery site is capable of handling regular operations. The full interruption test is the
most thorough test but also the most disruptive.
Evidence provided in court must be relevant to determining a fact in question, material
to the case at hand, and competently obtained. Evidence does not need to be tangible.
Witness testimony is an example of intangible evidence that may be offered in court
The IT Infrastructure Library (ITIL) framework focuses on IT service management.
The Project Management Body of Knowledge (PMBOK) provides a common core of
project management expertise. The Open Group Architecture Framework (TOGAF) focuses
on IT architecture issues
The four canons of the (ISC)2 code of ethics are:
i) to protect society, the common good, necessary public trust and confidence and the infrastructure;
ii) to act honorably, honestly, justly, responsibly and legally
iii) to provide diligent and competent service to principals
iv) to advance and protect the profession
In an electronic vaulting approach, automated technology moves database backups
from the primary database server to a remote site on a scheduled basis, typically daily.
Transaction logging is not a recovery technique alone; it is a process for generating the
logs used in remote journaling. Remote journaling transfers transaction logs to a remote
site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring
maintains a live database server at the backup site and mirrors all transactions at the
primary site on the server at the backup site.
The two main methods of choosing records from a large pool for further analysis are
sampling and clipping. Sampling uses statistical techniques to choose a sample that is
representative of the entire pool, while clipping uses threshold values to select those records
that exceed a predefined threshold because they may be of most interest to analysts
RAID-0 is called disk striping. Need 2 or more disks
Adv: Speed | Dis: Not Fault-tolerant
RAID-1 is also known as disk mirroring. Need 2 disks
Adv: Fault-tolerant | Dis: Only n/2 disk storage capacity is availble of n disks
RAID-10 is known as a disk striping with disk mirroring. Need four minimum of 4 disks
Adv: Speed, Fault-tolerant | Dis: Only n/2 disk storage capacity is availble of n disks
RAID-5 is called disk striping with parity. Need 3 or more disks. This is the most common setup
Adv: Fault-tolerant | Dis: Only n-1 disk storage capacity is availble of n disks
RAID-6 is called disk striping with double parity. Need 4 or more disks
Adv: Fault-tolerant | Dis: Write speed suffers, Only n-2 disk storage capacity is availble of n disks
In an infrastructure as a service environment, the vendor is responsible for hardware and
network-related responsibilities. These include configuring network firewalls,
maintaining the hypervisor, and managing physical equipment. The customer retains
responsibility for patching operating systems on its virtual machine instances.
Data loss prevention (DLP) systems may identify sensitive information stored on
endpoint systems or in transit over a network. This is their primary purpose
If software is released into the public domain, anyone may use it for any purpose, without
restriction. All other license types like GNU Public License, Freeware, Open source contain
at least some level of restriction.
evidence. For example, real evidence includes hard disks, weapons, and items containing
fingerprints. Documentary evidence consists of written items that may or may not be in
tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant
information. The parol evidence rule says that when an agreement is put into written
form, the written document is assumed to contain all the terms of the agreement
Hotfixes, updates, and security fixes are all synonyms for single patches designed to
correct a single problem. Service packs are collections of many different updates that serve
as a major update to an operating system or application
Darknet is a monitored network without any hosts.
A darknet is a segment of unused network address space that should have no network
activity and, therefore, may be easily used to monitor for illicit activity. A honeypot is a
decoy computer system used to bait intruders into attacking. A honeynet is a network
of multiple honeypots that creates a more sophisticated environment for intruders to
explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker.
The Common Vulnerability and Exposures (CVE) dictionary contains standardized
information on many different security issues. The Open Web Application Security
Project (OWASP) contains general guidance on web application security issues but does
not track specific vulnerabilities or go beyond web applications. The Bugtraq mailing list
and Microsoft Security Bulletins are good sources of vulnerability information but are not
comprehensive databases of known issues.
The checklist review is the least disruptive type of disaster recovery test. During
a checklist review, team members each review the contents of their disaster recovery
checklists on their own and suggest any necessary changes. During a tabletop exercise,
team members come together and walk through a scenario without making any
changes to information systems. During a parallel test, the team actually activates the
disaster recovery site for testing, but the primary site remains operational. During a full
interruption test, the team takes down the primary site and confirms that the disaster
recovery site is capable of handling regular operations. The full interruption test is the
most thorough test but also the most disruptive.
Evidence provided in court must be relevant to determining a fact in question, material
to the case at hand, and competently obtained. Evidence does not need to be tangible.
Witness testimony is an example of intangible evidence that may be offered in court
The IT Infrastructure Library (ITIL) framework focuses on IT service management.
The Project Management Body of Knowledge (PMBOK) provides a common core of
project management expertise. The Open Group Architecture Framework (TOGAF) focuses
on IT architecture issues
The four canons of the (ISC)2 code of ethics are:
i) to protect society, the common good, necessary public trust and confidence and the infrastructure;
ii) to act honorably, honestly, justly, responsibly and legally
iii) to provide diligent and competent service to principals
iv) to advance and protect the profession
In an electronic vaulting approach, automated technology moves database backups
from the primary database server to a remote site on a scheduled basis, typically daily.
Transaction logging is not a recovery technique alone; it is a process for generating the
logs used in remote journaling. Remote journaling transfers transaction logs to a remote
site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring
maintains a live database server at the backup site and mirrors all transactions at the
primary site on the server at the backup site.
The two main methods of choosing records from a large pool for further analysis are
sampling and clipping. Sampling uses statistical techniques to choose a sample that is
representative of the entire pool, while clipping uses threshold values to select those records
that exceed a predefined threshold because they may be of most interest to analysts
RAID-0 is called disk striping. Need 2 or more disks
Adv: Speed | Dis: Not Fault-tolerant
RAID-1 is also known as disk mirroring. Need 2 disks
Adv: Fault-tolerant | Dis: Only n/2 disk storage capacity is availble of n disks
RAID-10 is known as a disk striping with disk mirroring. Need four minimum of 4 disks
Adv: Speed, Fault-tolerant | Dis: Only n/2 disk storage capacity is availble of n disks
RAID-5 is called disk striping with parity. Need 3 or more disks. This is the most common setup
Adv: Fault-tolerant | Dis: Only n-1 disk storage capacity is availble of n disks
RAID-6 is called disk striping with double parity. Need 4 or more disks
Adv: Fault-tolerant | Dis: Write speed suffers, Only n-2 disk storage capacity is availble of n disks
In an infrastructure as a service environment, the vendor is responsible for hardware and
network-related responsibilities. These include configuring network firewalls,
maintaining the hypervisor, and managing physical equipment. The customer retains
responsibility for patching operating systems on its virtual machine instances.
Data loss prevention (DLP) systems may identify sensitive information stored on
endpoint systems or in transit over a network. This is their primary purpose
If software is released into the public domain, anyone may use it for any purpose, without
restriction. All other license types like GNU Public License, Freeware, Open source contain
at least some level of restriction.
Comments
Post a Comment