2.1 Security Concepts

Question 1

the process of maintaining systems, such as computer hardware and software, in a desired state. A method of ensuring that systems perform in a manner consistent with expectations over time.
• The only constant is change
– Operating systems, patches, application updates, network
modifications, new application instances, etc.
• Identify and document hardware and software settings
– Manage the security when changes occur
• Rebuild those systems if a disaster occurs
– Documentation and processes will be critical

Answer 1

Configuration management

Question 2

a visual representation of a computer or telecommunications network. It shows the components that make up a network and how they interact, including routers, devices, hubs, firewalls, etc.
• Network [this] - Document the physical wire and device
• Physical data center layout
– Can include physical rack locations
• Device [this] - Individual cabling

Answer 2

Diagrams

Question 3

an agreed description of the attributes of a product, at a point in time, which serves as a basis for defining change. A change is a movement from this baseline state to a next state.
• The security of an application environment
should be well defined
– All application instances must follow this baseline
– Firewall settings, patch levels, OS file versions
– May require constant updates
• Integrity measurements check for the
secure baseline
– These should be performed often
– Check against well-documented baselines
– Failure requires an immediate correction

Answer 3

Baseline configuration

Question 4

a convention for naming things. [This] differ in their intents, which may include to: Allow useful information to be deduced from the names based on regularities. 
• Create a standard
– Needs to be easily understood by everyone
• Devices
– Asset tag names and numbers
– Computer names - location or region
– Serial numbers
• Networks - Port labeling
• Domain configurations
– User account names
– Standard email addresses

Answer 4

Standard naming conventions

Question 5

consists of Internet Protocol (IP) addresses and two special cases of IP addresses: broadcast addresses and loopback addresses. Internet addresses. The Internet Protocol (IP) uses a 32-bit, two-part address field.
• An IP address plan or model
– Consistent addressing for network devices
– Helps avoid duplicate IP addressing
• Locations
– Number of subnets, hosts per subnet
• IP ranges
– Different sites have a different subnet
– 10.1.x.x/24, 10.2.x.x/24, 10.3.x.x/24
• Reserved addresses
– Users, printers, routers/default gateways

Answer 5

IP schema

Question 6

the process of safeguarding important information from corruption, compromise or loss. The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates.
• A primary job task
– An organization is out of business without data
• Data is everywhere
– On a storage drive, on the network, in a CPU
• Protecting the data
– Encryption, security policies
• Data permissions
– Not everyone has the same access

Answer 6

Data Protection

Question 7

data is subject to the laws and regulations of the geographic location where that data is collected and processed. [This] is a country-specific requirement that data must remain within the borders of the jurisdiction where it originated.
– Data that resides in a country is subject to
the laws of that country
– Legal monitoring, court orders, etc.
• Laws may prohibit where data is stored
– GDPR (General Data Protection Regulation)
– Data collected on EU citizens must be stored
in the EU
– A complex mesh of technology and legalities
• Where is your data stored?
– Your compliance laws may prohibit
moving data out of the country

Answer 7

Data sovereignty

Question 8

the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel.
• Data obfuscation
– Hide some of the original data
• Protects PII
– And other sensitive data
• May only be hidden from view
– The data may still be intact in storage
– Control the view based on permissions
• Many different techniques
– Substituting, shuffling, encrypting, masking out, etc.

Answer 8

Data masking

Question 9

a way of translating data from plaintext (unencrypted) to ciphertext (encrypted).
• Encode information into unreadable data
– Original information is plaintext, encrypted
form is ciphertext
• This is a two-way street
– Convert between one and the other
– If you have the proper key
• Confusion
– The encrypted data is drastically different
than the plaintext
• Diffusion
– Change one character of the input, and many
characters change of the output

Answer 9

Data encryption

Question 10

data that has reached a destination and is not being accessed or used. It typically refers to stored data and excludes data that is moving across a network or is temporarily in computer memory waiting to be read or updated.
• The data is on a storage device
– Hard drive, SSD, flash drive, etc.
• Encrypt the data
– Whole disk encryption
– Database encryption
– File- or folder-level encryption
• Apply permissions
– Access control lists
– Only authorized users can access the data

Answer 10

Data at-rest

Question 11

data actively moving from one location to another such as across the internet or through a private network.
• Data transmitted over the network
– Also called data in-motion
• Not much protection as it travels
– Many different switches, routers, devices
• Network-based protection
– Firewall, IPS
• Provide transport encryption
– TLS (Transport Layer Security)
– IPsec (Internet Protocol Security)

Answer 11

Data in-transit

Question 12

data that is currently being updated, processed, erased, accessed or read by a system. This type of data is not being passively stored, but is instead actively moving through parts of an IT infrastructure.
• Data is actively processing in memory
– System RAM, CPU registers and cache
• The data is almost always decrypted
– Otherwise, you couldn’t do anything with it
• The attackers can pick the decrypted information
out of RAM
– A very attractive option
• Target Corp. breach - November 2013
– 110 million credit cards
– Data in-transit encryption and data at-rest encryption
– Attackers picked the credit card numbers out of the
point-of-sale RAM

Answer 12

Data in-use

Question 13

the process of replacing sensitive data, such as credit card numbers, with unique identification data while retaining all the essential information about the data. Because [this] is a non-destructive form of obfuscation, data is recoverable via a unique security key.
• Replace sensitive data with a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539
• Common with credit card processing
– Use a temporary token during payment
– An attacker capturing the card numbers
can’t use them later
• This isn’t encryption or hashing
– The original data and token aren’t mathematically related
– No encryption overhead

Answer 13

Tokenization

Question 14

a subset of digital rights management, technologies that protect sensitive information from unauthorized access. It is sometimes referred to as E-DRM or Enterprise Digital Rights Management.
• Control how data is used
– Microsoft Office documents,
email messages, PDFs
• Restrict data access to unauthorized persons
– Prevent copy and paste
– Control screenshots
– Manage printing
– Restrict editing
• Each user has their own set of rights
– Attackers have limited options

Answer 14

Information Rights Management (IRM)

Question 15

makes sure that users do not send sensitive or critical information outside the corporate network. The term describes software products that help a network administrator control the data that users can transfer.
• Where’s your data?
– Social Security numbers, credit card numbers,
medical records
• Stop the data before the attackers get it
– Data “leakage”
• So many sources, so many destinations
– Often requires multiple solutions in different places
[This] systems
• On your computer
– Data in use
– Endpoint DLP
• On your network
– Data in motion
• On your server
– Data at rest

Answer 15

Data Loss Prevention (DLP)

Question 16

a data loss prevention technique that helps to ensure the security of data. With this method, USB ports can be blocked for untrusted devices. A [this] software allows companies to restrict unauthorized portable storage devices from accessing endpoints.
• DLP on a workstation
– Allow or deny certain tasks
• November 2008 - U.S. Department of Defense
– Worm virus “agent.btz” replicates using USB storage
– Bans removable flash media and storage devices
• All devices had to be updated
– Local DLP agent handled USB blocking
• Ban was lifted in February 2010
– Replaced with strict guidelines

Answer 16

USB blocking

Question 17

helps keep an organization's sensitive or critical information safe from cyber attacks, insider threats and accidental exposure. [this] solutions provide visibility and protection for sensitive data in SaaS and IaaS applications.
• Located between users and the Internet
– Watch every byte of network traffic
– No hardware, no software
• Block custom defined data strings
– Unique data for your organization
• Manage access to URLs
– Prevent file transfers to cloud storage
• Block viruses and malware
– Anything traversing the network

Answer 17

Cloud-based DLP

Question 18

• Email continues to be the most critical risk vector
– Inbound threats, outbound data loss
• Check every email inbound and outbound
– Internal system or cloud-based
• Inbound - Block keywords, identify impostors,
quarantine email messages
• Outbound - Fake wire transfers, W-2 transmissions,
employee information
Emailing a spreadsheet template
• November 2016 - Boeing employee emails spouse a
spreadsheet to use as a template
• Contained the PII of 36,000 Boeing employees
– In hidden columns
– Social security numbers, date of birth, etc.
• Boeing sells its own DLP software
– But only uses it for classified work

Answer 18

DLP and email

Question 19

considerations related to managing security
• Legal implications
– Business regulations vary between states
– For a recovery site outside of the country, personnel
must have a passport and be able to clear immigration
– Refer to your legal team
• Offsite backup
– Organization-owned site or 3rd-party secure facility
• Offsite recovery
– Hosted in a different location, outside the scope of the
disaster
– Travel considerations for support staff and employees

Answer 19

Geographical considerations

Question 20

related to managing security
a way in which you manage the aftermath of an IT security breach or failure. It is vital to have a response plan in place before an incident occurs so that you can limit the damage caused by the event and reduce recovery time and costs for your business.
• [this] has become
commonplace
– Attacks are frequent and complex
• Incident response plan should be established
– Documentation is critical
– Identify the attack
– Contain the attack
• Limit the impact of an attacker
– Limit data exfiltration
– Limit access to sensitive data

Answer 20

Response and recovery controls

Question 21

a way to identify malicious activity that occurs via encrypted communication channels. [this] works like an authorized man-in-the-middle (MitM) attack, where the encrypted traffic between the client and the server is decrypted and examined.
• Commonly used to examine outgoing SSL/TLS
– Secure Sockets Layer/Transport Layer Security
– For example, from your computer to your bank
• Wait a second. Examine encrypted traffic?
– Is that possible?
• SSL/TLS relies on trust
– Without trust, none of this works
Trust me, I’m SSL
• Your browser contains a list of trusted CAs
– My browser contains about 170 trusted
CAs certificates
• Your browser doesn’t trust a web site unless a CA has
signed the web server’s encryption certificate
– The web site pays some money to the CA for this
• The CA has ostensibly performed some checks
– Validated against the DNS record, phone call, etc.
• Your browser checks the web server’s certificate
– If it’s signed by a trusted CA, the encryption
works seamlessly

Answer 21

SSL/TLS inspection

Question 22

the practice of using an algorithm to map data of any size to a fixed length. Whereas encryption is a two-way function, [this] is a one-way function.
• Represent data as a short string of text
– A message digest
• One-way trip
– Impossible to recover the original message
from the digest
– Used to store passwords / confidentiality
• Verify a downloaded document is the same
as the original
– Integrity
• Can be a digital signature
– Authentication, non-repudiation, and integrity
• Will not have a collision (hopefully)
– Different messages will not have the same hash

Answer 22

Hashing

Question 23

– Control software or hardware programmatically
• Secure and harden the login page
– Don’t forget about the API
• On-path attack
– Intercept and modify API messages,
replay API commands
• API injection
– Inject data into an API message
• DDoS (Distributed Denial of Service)
– One bad API call can bring down a system
Security
• Authentication
– Limit API access to legitimate users
– Over secure protocols
• Authorization
– API should not allow extended access
– Each user has a limited role
– A read-only user should not be able to make
changes
• WAF (Web Application Firewall)
– Apply rules to API communication

Answer 23

Application Programming Interface (API) considerations

Question 24

The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
• Recovery site is prepped
– Data is synchronized
• A disaster is called
– Business processes failover to the alternate
processing site
• Problem is addressed
– This can take hours, weeks, or longer
• Revert back to the primary location
– The process must be documented for both directions

Answer 24

Site resiliency

Question 25

related to site resiliency
A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption
• An exact replica
– Duplicate everything
• Stocked with hardware
– Constantly updated
– You buy two of everything
• Applications and software are constantly updated
– Automated replication
• Flip a switch and everything moves
– This may be quite a few switches

Answer 25

Hot site

Question 26

related to site resiliency
A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place.
• No hardware
– Empty building
• No data
– Bring it with you
• No people
– Bus in your team

Answer 26

Cold Site

Question 27

related to site resiliency
a type of facility an organization uses to recover its technology infrastructure when its primary data center goes down. [this] features an equipped data center but no customer data.
• Somewhere between cold and hot
– Just enough to get going
• Big room with rack space
– You bring the hardware
• Hardware is ready and waiting
– You bring the software and data

Answer 27

Warm site

Question 28

a network-attached system set up as a decoy to lure cyber attackers and detect, deflect and study hacking attempts to gain unauthorized access to information systems.
• Attract the bad guys
– And trap them there
• The “attacker” is probably a machine
– Makes for interesting recon
•[this]
– Create a virtual world to explore
• Many different options
– Kippo, Google Hack Honeypot, Wordpot, etc.
• Constant battle to discern the real from the fake

Answer 28

Honeypots

Question 29

a network set up with intentional vulnerabilities hosted on a decoy server to attract hackers. The primary purpose is to test network security by inviting attacks. This approach helps security experts study an actual attacker’s activities and methods to improve network security.
– More than one honeypot on a network
– More than one source of information
– Stop spammers - https://projecthoneypot.org

Answer 29

Honeynets

Question 30

bait files intended for hackers to access. The files reside on a file server, and the server sends an alarm when a honey file is accessed.
– Bait for the honeynet (passwords.txt)
– An alert is sent if the file is accessed
– A virtual bear trap

Answer 30

Honeyfiles

Question 31

a cybersecurity defense practice that aims to deceive attackers by distributing a collection of traps and decoys across a system’s infrastructure to imitate genuine assets. the use of automation to manage communications across multiple data sources and speed the detection of threats.
• Machine learning
– Interpret big data to identify the invisible
• Train the machine with actual data
– Learn how malware looks and acts
– Stop malware based on actions instead of signatures
• Send the machine learning model [this]
– Make malicious malware look benign

Answer 31

Fake telemetry

Question 32

a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address. The controlled IP address points to a sinkhole server defined by [this] administrator.
• A DNS that hands out incorrect IP addresses
– Blackhole DNS
• This can be bad
– An attacker can redirect users to a malicious site
• This can be good
– Redirect known malicious domains to a benign IP address
– Watch for any users hitting that IP address
– Those devices are infected
• Can be integrated with a firewall
– Identify infected devices not directly connected

Answer 32

DNS sinkhole