4.2 Reporting & communications: Findings & remediation Flashcards

1
Q

Security Control Categories: define a security control

A

▪ A technology or procedure put in place to mitigate vulnerabilities and risk in order to ensure the confidentiality, integrity, availability, and nonrepudiation of data and information
▪ Security controls should be selected and deployed in a structured manner using an overall framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security Control Categories: explain the class of control as per NIST SP 800-53 (6)

A

● Technical (Logical) Controls: A category of security control that is implemented as a system (hardware, software, or firmware)
● Operational Controls: A category of security control that is implemented primarily by people rather than systems
● Administrative Controls: A category of security control that provides oversight of the information system
● Preventative Control: A control that acts to eliminate or reduce the likelihood that an attack can succeed
● Detective Control: A control that may not prevent or deter access, but will identify and record any attempted or successful intrusion
● Corrective Control: A control that acts to eliminate or reduce the impact of an intrusion event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Control Categories: what are the other class of control that are not mentioned in the NIST

A

▪ Physical Control: A type of security control that acts against in-person intrusion attempts
▪ Deterrent Control: A type of security control that discourages intrusion attempts
▪ Compensating Control: A type of security control that acts as a substitute for a principal control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Physical Controls: list the type of physical controls (6)

A

o Access Control Hardware: Badge reader, Biometric reader
o Access Control Vestibule (Mantrap): An area between two doorways that holds people until they are identified and authenticated
o Smart Locker: A fully integrated system that allows you to keep your laptop, tablet, smartphone, or other valuables inside
o Locking Racks/Cabinets: Controls physical access to networking equipment
o Employee Training: 69% ROI for SMBs, 248% ROI for large enterprises
o Video Surveillance: Used to figure out what happened on a certain area

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Operational Controls: list the type of operational controls (7)

A

o Separation of Duties
o Job Rotation: Different users are trained to perform the tasks of the same position to help prevent an identity fraud that could occur if only one employee had that job
o Mandatory Vacation: An employee is required to take a vacation at some point during the year
o Employment and Termination Procedures: An administrative control that is focused on what to do when hiring and firing employees (e.g. security training)
o Auditing Requirements and Frequency
o Time of Day Restriction: Limits user access during non-business hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Administrative Controls: list the type of administrative controls (4)

A

o Role Based Access Control
o Minimum Password Requirements: Complexity, Password Aging, Password History
o Policies and Procedures: Enables an organization to operate normally for minimizing cyber security incident
o Software Development Life Cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

System Hardening: what is hardening?

A

o The process by which a host or other device is made more secure through the reduction of that device’s attack surface
o Any service or interface that is enabled through the default installation and left unconfigured should be considered a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

System Hardening: what item should you have in the system hardening checklist (10)

A

▪ Remove or disable devices that are not needed or used
▪ Install OS, application, firmware, and driver patches regularly
▪ Uninstall all unnecessary network protocols
▪ Uninstall or disable all unnecessary services and shared folders
▪ Enforce Access Control Lists on all system resources
▪ Restrict user accounts to the least privileges needed
▪ Secure the local admin or root account by renaming it and changing password
▪ Disable unnecessary default user and group accounts
▪ Verify permissions on system accounts and groups
▪ Install antimalware software and update its definitions regularly
▪ Consider how to also harden systems against availability attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Secure Coding: explain Input Validation

A

Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Secure Coding: where Input Validation should be conducted (client/ server)? Is there a risk if the input validation is done on client or server?

A

▪ Input validation can be conducted locally (on client) or remotely (on server)
▪ Client-side input validation is more dangerous since it is vulnerable to malware interference
▪ Input should still undergo server-side validation after passing client-side validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Secure Coding: how input validation and normalization or sanitization are related?

A

▪ Input should also be subjected to normalization or sanitization:
● Normalization: A string is stripped of illegal characters or substrings and converted to the accepted character set
● Canonicalization Attack: Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Secure Coding: explain Output Encoding

A

Output encoding mitigates against code injection and XSS attacks that attempt to use input to run a script

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Secure Coding: explain Parameterized Queries

A

▪ A technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query
▪ Parameterized queries are a form of output encoding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Implementing MFA: explain Single Sign-On (SSO) and Multifactor Authentication (MFA)

A

o Single Sign-On (SSO): An authentication technology that enables a user to authenticate once and receive authorizations for multiple services
o Multifactor Authentication (MFA): An authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Implementing MFA: what is advantage and disadvantage of SSO?

A

o Advantage: User does not need multiple user accounts and passwords
o Disadvantage: If the user account is compromised, the attacker has access to everything

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Digital Certificates: what is the certificate lifecycle (8)?

A
  1. Generate: processes that allow a certificate to be requested and issued to a client or device
  2. Provision: describe the different types of certificates and the conditions under which those certificates will be issued to a client or device
  3. Discover: focus its efforts on incorporating modern capabilities into the environment to scan and identify the certificates in use
  4. Inventory: document every certificate in use, including information about those certificates
  5. Monitor: identify any changes to the certificates or any suspicious activity related to a certificate’s usage
  6. Protect: protection of the private keys through the use of technical controls like using key encrypting keys and bit splitting techniques
  7. Renew: renew our digital certificates by replacing them with newer, more updated versions to the maximum extent possible
  8. Revoke: Identify the need for revocation of a digital certificate and follow those procedures when needed
17
Q

Digital Certificates: what are the reasons for revoking a certificate (5)?

A

▪ Cessation of operation
▪ CA compromise
▪ Key compromise
▪ Superseded
▪ Unspecified

18
Q

Digital Certificates: explain Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP)

A

o Certificate Revocation List (CRL): An online list of digital certificates revoked by the certificate authority
o Online Certificate Status Protocol (OCSP): Determines the revocation status of a digital certificate using its serial number

19
Q

Digital Certificates: explain certificate pinning and certificate stapling

A

o Certificate Pinning: A method of trusting digital certificates that bypass the CA hierarchy and chain of trust. HTTP public key pinning allows a website to resist impersonation attacks
o Certificate Stapling: process to enables the server presenting a certificate to efficiently verify its revocation status through the Online Certificate Status Protocol (OCSP). This is achieve by including the OSCP response with the certificate handshake, resulting in enhance security for client who are assured that the certificate is valid.

20
Q

Digital Certificates: explain HTTP Strict Transport Security (HSTS)

A

▪ Allows a web server to notify web browsers to only request using HTTPS and not HTTP
▪ Strict-Transport-Security header with an expiration date and time

21
Q

Other Technical Controls: list the other technical controls (4)

A

o Key Rotation: The process of changing keys on a periodic basis to mitigate against the possibility of a brute-force attack of an unidentified key breach
o Secret Management Solution: A platform used to control passwords, key pairs, and other sensitive information that needs to be securely stored
o Process-Level Remediation: Focused on resolving findings by changing how a process or protocol is used or implemented
o Network Segmentation: Divides system infrastructure into different physical or virtual subdivisions

22
Q

Mitigation Strategies: define mitigation strategies

A

Prioritize the findings and recommendations based on the threat, the risk rating, and the cost of implementation

23
Q

Mitigation Strategies: list the remediation categories (3)

A

▪ Technology
▪ Processes: The idea of mitigating things through processes is to figure out exactly how you can fix things by changing the way the organization is operating. Problems do not always have a technology solution
▪ People: Recommend better training for their

24
Q

Mitigation Strategies: explain Local Administrator Password Solution (LAPS) as a solution

A

Manages all local admin passwords without having to have the same password on every machine across the domain

25
Q

Mitigation Strategies: explain Weak Password Complexity as a solution

A

Change their password policy and recommend creating a minimum password requirement

26
Q

Mitigation Strategies: explain the solution to Plain text Passwords

A

All passwords must be stored as hashes or in another encrypted format

27
Q

Mitigation Strategies: explain the solution to No Multifactor Authentication

A

Recommend adding another factor from at least two of the four categories
o Something you know
o Something you have
o Something you are
o Something you do

28
Q

Mitigation Strategies: explain the solution to SQL Injections

A

● Sanitize user input
● Parameterize queries

29
Q

Mitigation Strategies: explain the solution to Unnecessarily Open Services

A

● Go through system hardening practices
● Disable unnecessary services
● Uninstall unused programs
● Close unused ports
● Anything that is unnecessary in terms of services or programs should be disabled or uninstalled