401_2 Flashcards
Why are most worms successful?
A prevalence of undefended perimeters
OSs are left unchanged and unpatched
One application automatically installing another.
What is the CIA triad?
Confidentiality, Integrity, and Availability
What is Risk?
The probability of a threat crossing or touching a vulnerability
What is the impact of vulnerabilities in the risk calculation?
Vulnerabilities reduces the risk
How does threat affect risk?
Threats drive the risk calculation
What is the key focus of risk?
Confidentiality / Disclosure
Integrity / Alteration
Availability / Destruction
What are the primary threats?
Malware
Insider
Natural Disasters
Terrorism
What is a threat?
Any activities that represent possible danger to information or operation.
Anything that would negatively impact CIA.
Threats are the agents of Risk
What is the relationship between vulnerabilities and threats?
Vulnerabilities are the gateway by which threats are manifested.
What is a vulnerability?
A weakness in a system or process that could be exploited by a threat
What are the primary vulnerability types?
Software
Electronic
Human
Physical
What are the 4 approaches to Defense-in-Depth?
Uniform protection
Protected enclaves
Information centric
Threat vector analysis
When discussing Defense-in-Depth, how does uniform protection treat all system?
As equally important
Gives no special consideration or protection to the critical intellectual property of an organization.
To what type of threat is the uniform protection approach to Defense-in-Depth most vulnerable?
Insider
What two things are needed to manage configurations?
A baseline
A way to detect when a change occurs to the baseline
What are the dangers associated with malware?
Destroying Data
Leaking Information
Providing Backdoor Access
An effective malware defense strategy should incorporate the following items.
- Antivirus software at multiple locations
- up-to-date virus signature files
- A practice of reviewing and installing security patches
- Lock-down of system configuration and dangerous application features
- Blocking file attachments (#1 to stop email viruses)
What are the 3 primary defensive techniques incorporated into an antivirus product?
Scanners
Activity monitors
Integrity checkers
What is another word for Activity monitors?
Behavior blockers
List 2 examples of integrity verification software
Tripwire
AIDE
What are some classic locations for antivirus products?
Workstations
File and print servers
Mail servers
Internet gateways
What is a security policy?
It establishes what you must do to protect information stored on computers and contains sufficient definition of “what” to do so you can identify, measure, or evaluate the “how.”
How does a security policy protect people?
Allows people to take necessary actions without fear of reprisal
compels the safeguarding of information
eliminates, or at least reduces, personal liability
How do you sell the need for a security policy to executives and users?
To sell to executives talk about the money
To sell to users talk about how it makes their job easier
Why does an organization need a security policy
Protects the org, the people, and the info
Establishes what must be done to protect information stored on computers
Protects people who are trying to do the right thing
What does a mission statement have to do with information security?
It allows security workers to be sensitive to the needs of the business
What is the foundation for evaluating policy?
A baseline of the existing documentation
What do policies address
The who, what,and why
What do procedures address
The how, where, and when
What is a policy
A directive that indicates a conscious decision to follow a path towards a specified objective.
What is a standard
Specifies a certain way something should be done or a certain brand or type of equipment that must be used.
What is a baseline in relationship to a standard
A baseline is a more specific implementation of a standard and gets into the specific technical details of how a system should be configured. I.e. Hardening Guides
What are guidelines
Suggestions to assist users, systems personnel, and others in effectively implementing policies and procedures. I.e., recommendations.
What needs to be included in a policy
Purpose Related documents or references Cancellation or expiration Background Scope Policy Statement Responsibility Action
How must a policy statement be written?
Clear, concise, and meet SMART objectives
Contain the guiding principles and 5 Ws (who, what, when, where, and why)
With what other policies should the security policy be consistent?
Mission Statement
Program Policy
Issue-Specific
System-Specific
What should be followed when creating a security policy?
State the issue
Identify the players (maintainer, HR, legal, management)
Find all relevant documentation that may exist
Define the policy - including all necessary sections
Identify penalties for non-compliance
Make sure it is enforceable
Submit for review and approval
What is an NDA
Non-Disclosure Agreement
What three elements must be sent in order to register a copyright with the Library of Congress
Properly completed application form
Application fee (currently $30)
“Deposit” (sample copy) of the work
What is a Business Continuity Plan (BCP)?
A plan for emergency response, backup operations, and post-disaster recovery maintained as a part of a security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.
What is a Disaster Recovery Plan (DRP)?
a plan that covers the tactical recovery of IT systems in the event of a disruption or disaster
Business continuity activities form a _______ over a crisis situation, while disaster recovery activities are a ________ of business continuity activities.
umbrella
subset
Name the six key components to a Business Continuity Plan?
Assess Evaluate Prepare Mitigate Respond Recover
What is the primary goal of the Business Impact Analysis?
To determine the maximum allowable (or tolerable) downtime for any given system.
List five mistakes that are commonly made in contingency planning
Lack of BCP testing Limited scope Lack of prioritization Lack of plan updates Lack of plan ownership Lack of communication Lack of security controls Inadequate evaluation of vendor suppliers Inadequate insurance (loss of life)
What are the two primary categories of data classification?
Public / Non Classified / Non Confidential
Private / Classified / Confidential
What are the five DoD and federal classification levels
Top Secret Secret Confidential Sensitive But Unclassified (SBU) Unclassified
With respect to access control what does acronym IAAA represent?
Identity
Authentication
Authorization
Accountability
Authentication is proving that you are who you say you are and is done in what four ways?
Something you know
Something you have
Something you are
Someplace you are
What are the four principles associated with access control that you should utilize to make sure your security is as robust as it can possibly be?
Least Privilege
Need to Know
Separation of Duties
Rotation of Duties
What are six common types of access control?
Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-based Access Control (RBAC) Ruleset-based Access Control (RSBAC) List-based Access Control (LBAC) Token-based Access Control (TBAC)
User accounts, data, and their relationships must be actively maintained is a process called ________ and consists of what four tasks?
Access Management
Account Administration, Maintenance, Monitoring, and Revocation
What are some common ways of implementing SSO?
Scripts
LDAP or AD
Secure Tokens
Kerberos
By what different names is irreversible encryption known?
On-way encryption
One-way hashing
Hashing
The strength of a hash used for password storage primarily depends on what five factors?
Quality of algorithm Key length (Hash length) CPU cycles Character set support Password length
What is password cracking?
The process of trying to guess or determine plaintext passwords, given only encrypted passwords
What are the basic steps involved in cracking passwords?
Find a valid user ID Find the encryption algorithm Obtain the encrypted password Create a list of possible passwords Encrypt each password See if there is a match
What are the four general attack methods for cracking passwords?
Dictionary Attack
Hybrid Attack
Brute Force Attack
Pre-computation Attack
What’s are two common tools used to crack passwords?
John the Ripper
Cain
How do computers store passwords?
As one-way cryptographic hashes
What three major design flaws in Windows NT and Windows 2000 allowed passwords to be cracked very quickly?
Breaking it into two seven-character words before applying the hash algorithm
Automatically converts all lowercase characters to uppercase
Does not use salts
What effect does a salt have on a password hash?
Ensures that two users with the same password will have a different ciphertext.
_____ is one of the best Windows password cracking programs on the market for what reasons?
Cain
Easy to use and nice GUI
Takes advantage of weak LAN Manager
Can crack passwords extremely quickly
Uses DLL injection to extract password hashes
Option to sniff a challenge/response dialogue
Circumvents MS SYSKEY protection mechanism
Free
What is a rainbow table?
Name given to the files that are produced by pre-computing password has values and storing the data in an optimized manner.
What techniques can be used to protect against password cracking?
Protect encrypted passowrds Enforce a strong password policy Use one-time passwords or multi-factor authentication Disable LANMAN Prevent pre-computation attacks (
What are three quantities typically associated with the reliability of a biometric mechnanism?
False Acceptance Rate (FAR)
False Reject Rate (FRR)
Cross Error Rate (CER)
What is Incident Handling?
The action or plan for dealing with intrusions, cyber-theft, denial of service attacks, malicious code, and other events
What is an Incident in the context of Incident Handling?
An adverse event in an information system, and/or network, or the threat of the occurrence of such an event
What is an event?
Any observable occurrence in a system and/or network.
Something that happened in time that you either directly experienced or that you can demonstrate actually occurred.
What is the relationship of an event to an incident?
All incidents are composed of a series of events, but not all events are considered incidents
Which of the following would you consider an incident?
- Attackers exploiting Sendmail on a Unix system
- Attackers running a NetBIOS scan against a Unix system
- A missing backup tape that contains sensitive information
Yes to all three.
What are the six stages of Incident Handling?
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
What are some key items to consider during the preparation phase of the Incident Handling process?
- Out of band communication
- Notification of law enforcement officials
- Contain and cleanup or observe
In which of the plans that encompass the Business Continuity Plan would Incident Handling be included? Disaster Recovery End-user Recovery Contingency Emergency Response Crisis Management
Disaster Recovery
What is the goal of the contain stage of the Incident Handling process?
To stabilize the environment
Make a binary backup of the systems for analysis
Secure the area
Change passwords ASAP
List three of the most common backup access methods (backdoors)?
A process listening on a specific port and offereing shell access
Creating a new user account with high privileges
Scheduling jobs that periodically run programs that open new paths to access the system.
What is the key point to consider in the recovery phase of the Incident Handling process?
To ensure you are not restoring vulnerable code that has already proven itself to be exploitable or already compromised.
What are the two main options available when restoring a compromised system?
- Installing the OS and apps from scratch
2. Restoring from a trusted backup and patching to fix the vulnerability
What are some key Incident Handling mistakes that are commonly made in organizations?
- Failure to report an incident or ask for help
- Incomplete or nonexistent notes
- Mishandling or destroying evidence
- Failure to create working backups
- Failure to contain or eradicate the incident
- Failure to prevent re-infection
- Failure to apply lessons learned
What are the two dominant legal systems in the world?
- Common Law System
2. Civil Law System
What is the common law system often referred to as?
Judge-made Law
What is the difference between common law system and civil law sytem?
Common law is based on precedence set by prior court rulings. Civil law is based on written rules and codes.
What is a “tort” with respect to Incident Handling?
A civil wrong
What forms and integral part of “Tort Law”
The Law of Negligence
What are the two main categories of law?
Criminal Law
Civil Law
What is the burden of proof for criminal law?
Have to prove beyond a reasonable doubt that someone committed a crime.
Who is the victim in a criminal law case?
Society
What is chain of custody?
A concept in jurisprudence that applies to the handling of evidence and its integrity.
Refers to the document or paper trail showing the seizure, custody, control, storage, transfer, and analysis of physical and electronic evidence.
What algorithms are used for preserving computer-based evidence?
MD5
SHA1
What is real evidence?
A tangible item such as the seized computer or USB thumbdrive
What is direct evidence?
Refers to evidence gathered from an eye witness or the person who watched or logged an incident as it occurred.
What are two key tenets of cyber security
- Know thy system
2. Prevention is ideal but detection is a must
What are the three basic tool of information warfare?
- perception management
- Malicious code
- Predictable response
At its hear, what has the focus for information warfare been over the past decade?
Economic
What is asymmetry with respect to information warfare?
When a fairly small investment or input has a very large affect.
Give an example of cycle time?
The decreasing amount of time between a vulnerability announcement, patch availability, and the release of a worm taking advantage of the vulnerability.
What is the basic model for assessing collected data?
Does the data indicate a stimulus or response?
Assess the targeting
Is there implied evidence of earlier successful reconnaissance?
Mechanically assess the trace
Make an estimate as to the purpose and severity
List the typical information warfare offensive players?
- Insiders (Employees, Ex-Employees, Temps, Contractors)
- Hackers
- Criminals
- Corporations
- Governments
- Terrorists
What is the overall goal of an information warfare attack?
To target an information resource and either make it more valuable to the offense or less valuable to the defense.
To cause harm to the target organization.
What is the mantra of the information operations worker?
We win; you lose, but perhaps not in zero-sum fashion
As a defender in an information warfare attack, what is one of our most important tools?
Defense-in-depth
Why is defense not dominant in information warfare?
Vast perimeter to defend (mobility) Complex systems Data portability (cloud computing) Insiders whether malicious or just careless Security is often an afterthought
What protocol do browsers and servers use to communicate over the Web?
HTTP - Hypertext Transfer Protocol
What are the two parts of an HTTP transaction?
Client request
Server response
What are the most common HTTP methods
GET
PUT
POST
HEAD
What three components make up the first line of an HTTP request?
- Name of the method
- Resource being requested
- HTTP Version
In addition component is required in the HTTP/1/1 protocol that is not required in the older HTTP/1.0 protocol?
Host header to specify at which domain the request is aimed. This allows a single web server on a single IP address to process requests for multiple domains.
HTTP status codes beginning with the number __ are error codes.
4
What are the three pieces that make up an HTTP request?
- Request
- Header lines
- Body
What are the three pieces that make up an HTTP response?
- Status line
- Header lines
- Body
What three fields are in the HTTP response status line?
- HTTP Version
- Status code
- Description (free form text message)
What was the creator’s main purpose in developing HTML?
Allow for standard formatting of document and to facilitate easy editing and uploading of Web-based documents for the purposes of collaboration
How is form data sent with the GET action?
It is appending to the URL query string.
How is form data sent with the PUT action?
It is sent within the HTTP headers
Is HTTP a stateless or stateful protocol?
Stateless
In web terms what is a cookie?
A named piece of data created by a Web server and stored at the Web broswer.
What do cookies most commonly keep track of?
User authentication
Application session state
What are the two types of cookies?
Persistent - stored in text file
Session (non-persistent) - stored in memory
List some rules cookies must follow?
- must have been set by a Web server and can only be sent back to that same Web server
- Web server must specify the contents of the cookie at the time it is created
- Can’t violate your privacy as they only contain info already know to the site.
What is the most significant concern with cookies?
They can be used to track you WEb usage.
What are the three roles of SSL
- Encryption
- Server identity verification
- Data integrity
What is SSL?
Secure Socket Layers is a protocol that provides an encrypted tunnel between two SSL-aware applications.
What is negotiated during the handshake phase of an SSL connection?
The type and strength of encryption to use
What is presented to the client during SSL initialization allowing the user to verify the server’s identity?
Public key certificate
What components should be included in an organization’s development, testing, and deployment process to prevent the introduction of vulnerabilities?
- security training for Developers
- Peer Reviews
- Formal testing
- Performance testing
- Configuration management and version control
- Staging and deployment
What is an ASP?
Application Service Provider
What items should be on the audit checklist for ASPs?
- How will they secure the applications
- When was last audit? (each 6 month is ideal)
- Review the patch mgmt history
- Should allow vulnerability scanning
What is the best way to identify the security practices of an ASP?
By performing an audit every six months.
What are the two most commonly seen web authentication methods?
- HTTP Authentication
2. HTML Form based Authentication
What are the two native HTTP authentication schemes?
- Basic Authentication
2. Digest Authentication
What is a URL directory traversal attack?
A user exploiting vulnerabilities on a web server to gain access to restricted directories, execute commands, and view data outside of the directories meant to be published.
What is the most popular technique for tracking a user through multiple web requests?
The use of Session IDs.
Where are session IDs often stored?
- Hidden form element
- Cookies
- URL query string
What are common examples of input attacks?
- OS command injection
- Buffer overflows
- SQL Injection
- Cross Site Scripting
What is the number one defense against most input attacks?
Validation of user input.
What is one of the most popular file integrity checkers?
Tripwire
What tool can perform SIEM correlations?
Splunk
What is the number one all-time champion Web hacking tool in the galaxy?
Your Web browser
What is the first thing you want to identify when monitoring the performance of your web application?
A baseline
What are the key performance indicators to track for security purposes while monitoring the performance of your web application?
- Latency
2. Throughput
What are some specific attributes of latency and throughput that should be monitored?
- Network connections
- Page load times
- Application login
- Transaction times
