4.2 Reporting & communications: Findings & remediation

Question 1

Security Control Categories: define a security control

Answer 1

▪ A technology or procedure put in place to mitigate vulnerabilities and risk in order to ensure the confidentiality, integrity, availability, and nonrepudiation of data and information
▪ Security controls should be selected and deployed in a structured manner using an overall framework

Question 2

Security Control Categories: explain the class of control as per NIST SP 800-53 (6)

Answer 2

● Technical (Logical) Controls: A category of security control that is implemented as a system (hardware, software, or firmware)
● Operational Controls: A category of security control that is implemented primarily by people rather than systems
● Administrative Controls: A category of security control that provides oversight of the information system
● Preventative Control: A control that acts to eliminate or reduce the likelihood that an attack can succeed
● Detective Control: A control that may not prevent or deter access, but will identify and record any attempted or successful intrusion
● Corrective Control: A control that acts to eliminate or reduce the impact of an intrusion event

Question 3

Security Control Categories: what are the other class of control that are not mentioned in the NIST

Answer 3

▪ Physical Control: A type of security control that acts against in-person intrusion attempts
▪ Deterrent Control: A type of security control that discourages intrusion attempts
▪ Compensating Control: A type of security control that acts as a substitute for a principal control

Question 4

Physical Controls: list the type of physical controls (6)

Answer 4

o Access Control Hardware: Badge reader, Biometric reader
o Access Control Vestibule (Mantrap): An area between two doorways that holds people until they are identified and authenticated
o Smart Locker: A fully integrated system that allows you to keep your laptop, tablet, smartphone, or other valuables inside
o Locking Racks/Cabinets: Controls physical access to networking equipment
o Employee Training: 69% ROI for SMBs, 248% ROI for large enterprises
o Video Surveillance: Used to figure out what happened on a certain area

Question 5

Operational Controls: list the type of operational controls (7)

Answer 5

o Separation of Duties
o Job Rotation: Different users are trained to perform the tasks of the same position to help prevent an identity fraud that could occur if only one employee had that job
o Mandatory Vacation: An employee is required to take a vacation at some point during the year
o Employment and Termination Procedures: An administrative control that is focused on what to do when hiring and firing employees (e.g. security training)
o Auditing Requirements and Frequency
o Time of Day Restriction: Limits user access during non-business hours

Question 6

Administrative Controls: list the type of administrative controls (4)

Answer 6

o Role Based Access Control
o Minimum Password Requirements: Complexity, Password Aging, Password History
o Policies and Procedures: Enables an organization to operate normally for minimizing cyber security incident
o Software Development Life Cycle

Question 7

System Hardening: what is hardening?

Answer 7

o The process by which a host or other device is made more secure through the reduction of that device’s attack surface
o Any service or interface that is enabled through the default installation and left unconfigured should be considered a vulnerability

Question 8

System Hardening: what item should you have in the system hardening checklist (10)

Answer 8

▪ Remove or disable devices that are not needed or used
▪ Install OS, application, firmware, and driver patches regularly
▪ Uninstall all unnecessary network protocols
▪ Uninstall or disable all unnecessary services and shared folders
▪ Enforce Access Control Lists on all system resources
▪ Restrict user accounts to the least privileges needed
▪ Secure the local admin or root account by renaming it and changing password
▪ Disable unnecessary default user and group accounts
▪ Verify permissions on system accounts and groups
▪ Install antimalware software and update its definitions regularly
▪ Consider how to also harden systems against availability attacks

Question 9

Secure Coding: explain Input Validation

Answer 9

Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application

Question 10

Secure Coding: where Input Validation should be conducted (client/ server)? Is there a risk if the input validation is done on client or server?

Answer 10

▪ Input validation can be conducted locally (on client) or remotely (on server)
▪ Client-side input validation is more dangerous since it is vulnerable to malware interference
▪ Input should still undergo server-side validation after passing client-side validation

Question 11

Secure Coding: how input validation and normalization or sanitization are related?

Answer 11

▪ Input should also be subjected to normalization or sanitization:
● Normalization: A string is stripped of illegal characters or substrings and converted to the accepted character set
● Canonicalization Attack: Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures

Question 12

Secure Coding: explain Output Encoding

Answer 12

Output encoding mitigates against code injection and XSS attacks that attempt to use input to run a script

Question 13

Secure Coding: explain Parameterized Queries

Answer 13

▪ A technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query
▪ Parameterized queries are a form of output encoding

Question 14

Implementing MFA: explain Single Sign-On (SSO) and Multifactor Authentication (MFA)

Answer 14

o Single Sign-On (SSO): An authentication technology that enables a user to authenticate once and receive authorizations for multiple services
o Multifactor Authentication (MFA): An authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are

Question 15

Implementing MFA: what is advantage and disadvantage of SSO?

Answer 15

o Advantage: User does not need multiple user accounts and passwords
o Disadvantage: If the user account is compromised, the attacker has access to everything

Question 16

Digital Certificates: what is the certificate lifecycle (8)?

Answer 16

1. Generate: processes that allow a certificate to be requested and issued to a client or device
2. Provision: describe the different types of certificates and the conditions under which those certificates will be issued to a client or device
3. Discover: focus its efforts on incorporating modern capabilities into the environment to scan and identify the certificates in use
4. Inventory: document every certificate in use, including information about those certificates
5. Monitor: identify any changes to the certificates or any suspicious activity related to a certificate’s usage
6. Protect: protection of the private keys through the use of technical controls like using key encrypting keys and bit splitting techniques
7. Renew: renew our digital certificates by replacing them with newer, more updated versions to the maximum extent possible
8. Revoke: Identify the need for revocation of a digital certificate and follow those procedures when needed

Question 17

Digital Certificates: what are the reasons for revoking a certificate (5)?

Answer 17

▪ Cessation of operation
▪ CA compromise
▪ Key compromise
▪ Superseded
▪ Unspecified

Question 18

Digital Certificates: explain Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP)

Answer 18

o Certificate Revocation List (CRL): An online list of digital certificates revoked by the certificate authority
o Online Certificate Status Protocol (OCSP): Determines the revocation status of a digital certificate using its serial number

Question 19

Digital Certificates: explain certificate pinning and certificate stapling

Answer 19

o Certificate Pinning: A method of trusting digital certificates that bypass the CA hierarchy and chain of trust. HTTP public key pinning allows a website to resist impersonation attacks
o Certificate Stapling: process to enables the server presenting a certificate to efficiently verify its revocation status through the Online Certificate Status Protocol (OCSP). This is achieve by including the OSCP response with the certificate handshake, resulting in enhance security for client who are assured that the certificate is valid.

Question 20

Digital Certificates: explain HTTP Strict Transport Security (HSTS)

Answer 20

▪ Allows a web server to notify web browsers to only request using HTTPS and not HTTP
▪ Strict-Transport-Security header with an expiration date and time

Question 21

Other Technical Controls: list the other technical controls (4)

Answer 21

o Key Rotation: The process of changing keys on a periodic basis to mitigate against the possibility of a brute-force attack of an unidentified key breach
o Secret Management Solution: A platform used to control passwords, key pairs, and other sensitive information that needs to be securely stored
o Process-Level Remediation: Focused on resolving findings by changing how a process or protocol is used or implemented
o Network Segmentation: Divides system infrastructure into different physical or virtual subdivisions

Question 22

Mitigation Strategies: define mitigation strategies

Answer 22

Prioritize the findings and recommendations based on the threat, the risk rating, and the cost of implementation

Question 23

Mitigation Strategies: list the remediation categories (3)

Answer 23

▪ Technology
▪ Processes: The idea of mitigating things through processes is to figure out exactly how you can fix things by changing the way the organization is operating. Problems do not always have a technology solution
▪ People: Recommend better training for their

Question 24

Mitigation Strategies: explain Local Administrator Password Solution (LAPS) as a solution

Answer 24

Manages all local admin passwords without having to have the same password on every machine across the domain

Question 25

Mitigation Strategies: explain Weak Password Complexity as a solution

Answer 25

Change their password policy and recommend creating a minimum password requirement

Question 26

Mitigation Strategies: explain the solution to Plain text Passwords

Answer 26

All passwords must be stored as hashes or in another encrypted format

Question 27

Mitigation Strategies: explain the solution to No Multifactor Authentication

Answer 27

Recommend adding another factor from at least two of the four categories
o Something you know
o Something you have
o Something you are
o Something you do

Question 28

Mitigation Strategies: explain the solution to SQL Injections

Answer 28

● Sanitize user input
● Parameterize queries

Question 29

Mitigation Strategies: explain the solution to Unnecessarily Open Services

Answer 29

● Go through system hardening practices
● Disable unnecessary services
● Uninstall unused programs
● Close unused ports
● Anything that is unnecessary in terms of services or programs should be disabled or uninstalled