71 terms

EIDWS Board Book 3: Command Specific

This contains the material for NCDOC's Command Specific EIDWS Board questions.
What information is found on a service member's Page 2?
Emergency contact information and dependents.
What information is found on a service member's Page 4?
Awards and qualifications.
What information is found on a service member's Page 13?
Administrative remarks and counselings.
What is used for the purchase of NON NSN items?
DD 1348-6
What form is used for the transfer of material from one command to another?
DD 1149
How many characters are there in an NSN?
What are the first 4 characters of the NSN referred to as?
Federal Supply Group and Class
What are the main responsibilities of the Agency Program Coordinator (APC)?
Day-to-day oversight and audit management and the accountable official within the Purchase Card Program.
What is the threshold for construction related purchases?
What is the threshold for training related purchases?
What is the threshold for JWOD/Servmart related purchases?
What is the function of the following circuits: 768J and 72KK
768J is the primary, and 72KK is the secondary circuit.
Explain the procedures for building a computer system.
CPU, motherboard, monitor, RAM, NIC, power supply, hard drive, fan, video card, OS, keyboard, peripherals.
Name all of the Windows Servers and their functions.
Proxy, Print, Exchange, File Server, Domain Controller, HBSS, Zenworks, Microsoft SUS, Ghost Server, Good Mail Server, ISA Proxy, Network Monitoring App, ?Mark/Perc Training, What's Up Gold.
State the process for creating a New User Account and Mailbox.
NIPR: Done through Exchange and replicates to Active Directory. SIPR: Done through Active Directory and replicates to Exchange. SAAR: Signature from SSO required. Confirm on File Server, and on NIPR - change logon name to CAC Pin@mil.
Add a user to the proper alias and distribution list.
Go to "Member of" and "Add Groups".
Reset a user's password.
Right click account, and click "Reset Password".
View a user's email storage size.
Right click name, "Properties", and "General".
Set a user's email storage size.
Exchange Server - "Mail Flow Settings", Message Size Restrictions".
Delete a mailbox.
Right click account, "Remove".
Reset a user's profile and save the user's desktop.
File server - My Computer, Storage, Profiles, Rename. (User MUST be logged off).
What is the purpose of an Organizational Unit (OU)?
Created in Active Directory to organize computers, users, and preferences.
What is the function of the Active Directory Users and Computers MMC Snap-in tool?
Stores users and accounts.
What is the function of the Certificates MMC Snap-in tool?
Used with CAC, allows access to certain sites.
What is the function of the Event Viewer MMC Snap-in tool?
Monitors events on local computers such as logon, open applications, etc.
What is the function of the Computer Management MMC Snap-in tool?
Creates local users, groups look at logs and shared folders.
What is the function of the Security Templates MMC Snap-in tool?
Contains the default Security Settings of a typical user account for easy adding to the network.
Describe the process for creating an NCD.
Sensor OPS creates the CER, Sensor OPS generates initial ticket in Remedy, and IH follows up with ticket.
Explain the following Computer Network Incident phrases: Initial Preparation Detection and Analysis Containment, Eradication, and Recovery Post Incident Activity
Initial Preparation - Secure/Patch network. Detection and Analysis - Scans, virus software. Containment, Eradication, and Recovery - Safely quarantine, delete, and restore. Post Incident Activity - Lessons Learned.
Explain the information in a CER: Early indicator and Warning Report Intrusion Detection System NSA/CSS Threat Operations Center (NTOC)
Early indicator and Warning Report - See activity that could lead to further issues. Intrusion Detection System - Alerts received from the IDS. NSA/CSS Threat Operations Center (NTOC) - Processed by Threat Analysis as received.
What are the 3 Mission Assurance Categories?
MAC 1 - Mission Critical MAC 2 - Slows Operations, but not mission critical MAC 3 - Workstation
What is the NCDOC Timeline for Investigation Updates?
Update message on SIPR withing 24 hours. Next 24 hours - DINQ to ISIC. Next 24 hours - message goes up chain of command and the CNDWO is notified.
What should be considered for eradicating a threat?
1) What type of system. 2) What kind of malicious logic.
What should be considered during the recovery phase?
Whether to patch, wipe, re-image, etc.
What are the necessary steps after receiving the final report from the command?
1) Review Target IP 2) Source IP 3) Host Affected 4) Seek Required Information 5) Updates 6) A/V Updated within the last 7 days 7) Make ready for lead 8) Lead QC's 9) Ready for QC 10) QC closes or corrects ticket
Explain why a Navy command may be disconnected from the GIG?
Non-compliance, outbreak, Denial of Service, Non-Responsiveness
What is the difference between incident and an event?
Incident - intentionally malicious in nature. Event - Anything that happens on a machine. Not necessarily malicious in nature.
What is a worm?
Self-replicating malware.
What is a virus?
A piece of malicious software requiring user input for propagation.
What is a logic bomb?
Designed to deploy itself at a specific time or specific event.
What is a Trojan Horse?
Hidden within another application and appears to be legitimate.
What is a root-kit?
Grants system level privileges.
What is spear phishing?
A social engineering attempt, typically carried out via email.
What is a Denial of Service?
Stops network access.
What is a Buffer Overflow?
Overloads memory buffer causing the system to become unresponsive or crash.
What is the mission of QC cell?
Grade IH technicians, Quality Control, Close out tickets, and fix mistakes.
What incident categories require a closure message?
1, 2, 4, and 7.
What does SCCVI stand for?
Secure Compliance Configuration Validation Initiative.
What is SCCVI comprised of?
It's an online scan engine that creates compliance and validation reports using Retina.
What does SCRI stand for?
Secure Compliance Remediation Initiative.
What does SCRI do?
It's an online patching engine that is supposed to provide remediation and mitigation of non-compliant IAVM's by applying the needed patches.
How do you reset a password on OCRS?
Obtain user's name, select SysAdmin link on the left, under "Search" enter the user's last name, click "search", select the correct user, and once you're on the "User Information" page, click "reset password".
What is the purpose of OCRS?
Allows commands/enclaves to report compliance status for each IAVM product.
How can a command become fully compliant in OCRS?
The assets affected have to equal assets corrected.
What is the purpose of Vulnerability Management System?
Used to track and acknowledge compliance of vulnerabilities, and is managed by DISA.
What action items can be performed by the day watch daily?
Logs, Update VMS, Trouble Calls, Emails, Phone Calls, and Messages.
What are the 5 websites that current information on vulnerabilities can be viewed?
What form is required to be with any piece of evidence before it is accepted?
Detailed account of what it is, who owns it, serial numbers, and other amplifying information. Provides legal foothold for prosecution.
What is the proper packaging procedure for shipping SECRET hard drives?
Only authorized carrier is USPS, and must be double-wrapped brown paper.
List 3 hardware device types required to image a hard drive or other form of evidence.
Write blocker, Talon/Quest for forensic wiping, and Road Master for imaging.
What is the purpose of a write blocker?
Prevents writing to original media to preserve its evidence.
Why are virtual machines are important when conducting malware analysis?
They have the ability to let the malware execute on them without the worry of infection. Once the malware is identified and a countermeasure is discovered, the virtual machine can be reset to a known good configuration without affecting the actual host machine.
What is the difference between wiping and formatting a drive?
Formatting wipes flags and table entries without actually removing the files. They are able to be written over.
A Forensic Wipe actually erases the files off a drive.
What is the difference between imaging and cloning a drive?
Imaging recreates the image of a working drive.
Cloning creates a bit for bit copy of the original.
What is the difference between Host Based and Network Based IDS?
Host Based monitors traffic only on that host machine, while the network IDS monitors traffic network wide.
What is the difference between IDS and IPS?
IDS monitors traffic off a mirrored port, while the IPS not only monitors network traffic, it also has the ability to actively block sessions.
What type of network is XNET?
Any legacy-based network, such as NCDOC.
What type of network is IT21?
Compose networks designed for networking between ships and shore sites.
What type of network is ONENET?
ONENET provides NMCI like connectivity for OCONUS locations.
What type of network is BUMED?
Network connectivity of Medical locations.
What is the function of the IP Security Policies MMC Snap-in tool?
This security setting allows you to permit, block, or negotiate security for TCP/IP traffic.