CANES 2 Flashcards
Main references for CANES Core
CANES SW4 IETM – EE689-2X-IEM-004- AN/USQ-208C(V)
C5ISR
Navy Command, Control, Communications, Computers, Combat Systems, Intelligence, Surveillance, and Reconnaissance
Navy Command, Control, Communications, Computers, Combat Systems, Intelligence, Surveillance, and Reconnaissance (C5ISR) consists of:
Navy Command, Control, Communications, Computers, Combat Systems, Intelligence, Surveillance, and Reconnaissance (C5ISR) consists of:
2 CANES online resources
Naval Information Warfare Systems Command (NAVWAR) Acquisition Integrated Logistics Online Repository (SAILOR)
Navy Enterprise Service Desk (NESD)
CDS provides
Cross Domain Solutions (CDS) provides client access to the UNCLAS, SR, and SECRET enclaves
CDS Transfer Guard provides the capability to disseminate data from systems accredited at the same or lower classification levels
Sanitizes and downgrades data for release to systems withdifferent classification levels
Fault Isolation Strategy Six Step Process:
- Recognize symptom(s)
- Define symptom(s)
- List probable faulty function
- Localize the faulty function
- Localize trouble to the faulty component
- Analyze the failure
The hardware components used in CANES can be broken down into the following four functional areas:
Data Processing
Data Storage
Data Transfer
Power Distribution
Servers are installed in the CANES equipment racks and provide VMware vSAN storage for hoste apps and virtual machines.
The HP DL380 G10
One of this is the Witness server and is installed in the SECRET enclave only. It enables MAC-1 failover/failback to occur automatically.
As such it is considered critical equipment and must always remain powered on.
HP DL20 G10 this unit is located in the VTC rack (Unit 51 or 52) depending on the installation
Most likely not connected
The Line Console 0 (con 0) in the Cisco IOS represents the physical console port, and is configured via the Line Interface:
Access the Line Interface from Global Config Mode by typing: Line Con 0 followed by the Enter key
Changing the Line Interface configuration without required proper approvals in not authorized
To verify the configuration is unchanged from baseline settings
From Privileged EXEC mode type: show running-config | begin line
Compare the Line Con 0 configs to the ship’s network template
Viewing Local Accounts
Cisco Switch and Router
From Privilege EXEC mode, type: show run | include username
Verify local accounts list and privilege level
Cisco Default Privilege Levels
Level 0: log out, enable, disable, help, and exit commands
Level 1: Read-only access
Level 15: Full router or switch control
Cisco Local Account Creation
From Global Config mode, type: Username <new> privilege <privilege> password <new></new></privilege></new>
Local Account Deletion
From Global Config mode, type: no username <username></username>
Show Running Config | Section OSPF
command shows the OSPF section of the running configuration
Results can be used to compare baseline settings
Show IP OSPF Neighbors
command shows the state of adjacency; OSPF requires full adjacency to function
Results show ip address ospf neighbors’ connecting interface – the CANES Border Firewall interface that connects to the Backbone router-switch
Show IP OSPF Interface
command: shows OSPF information per interface
Show IP OSPF Database
command: shows all router IDs in the OSPF area
Show IP Route
command: shows directly connected, static, link local, and OSPF learned network routes
Exchange Troubleshooting
The _____ Diagram is a helpful resource when errors occur
Exchange Troubleshooting
The Email and Calendar Service Troubleshooting Fault Isolation Diagram is a helpful resource when errors occur
Exchange Toolbox is installed on
CANES EX01/02 and IAEXET
It is a Microsoft Management Console (MMC) snap-in that you can use to view information about and act on queues and messages in queues
Exchange Toolbox includes Queue Viewer
System Admins can use Queue Viewer to perform the following actions
Remove messages
Suspend messages
Resume messages
Redirect messages
Accessing Queue Viewer
Log in to IAEXET with System Administrator credentials
Navigate to Start > Microsoft Server Exchange 2016 > Exchange Toolbox and click on Queue Viewer
Click on Queue Viewer under Mailflow Tools
Exchange Troubleshooting (cont.)
There are five areas of importance
Network
Hardware
Services
Configurations
Off ship Connectivity
Exchange Troubleshooting
Configuration Items to monitor from the Security Information and Event Management (SIEM) or the Systems Center Operations Management (SCOM) dashboard
Mail transport - Replication
Name resolution service
Encryption Service - Processes
Message Application Programming Interface (MAPI) and Mail submission
Active Directory Remote Procedure Call (RPC) Access
Directory Inquiry
Rights management
Alternate client access for Standard Mail Transfer Protocol (SMTP) Clients
Active directory Global catalogue
EdgeSync
Hub transport
Directory Queries
Lightweight Directory Access Protocol (LDAP) global catalogue queries
Registry access
Clustering
CANES is preconfigured to support the implementation of River City procedures in all enclaves
There are four OPSECON groups
OPSECON 1 - CO, XO, CMC, TAO
OPSECON 2 - OPS, EMO, CHENG
OPSECON 3 - All Officers, All Chiefs
OPSECON 4 - E-6 and Junior
Generating and Exporting ACAS Report to VRAM
From ACAS SecurityCenter, navigate to Scans > Active Scans and select desired scan to upload
Select Post Scan and then select the report configured to publish
Click Submit to save the scan, and then navigate to Reporting Report > Results to access report
Select report and click Download to save locally with a meaningful name
Select Submit button and a dialog box is displayed, indicating the upload has been sent
Server that bypasses wsav
ADNS
Encryption for CANES
Symantec Endpoint Encryption Manager > Symantec Endpoint Encryption Software Setup > Removable Media Encryption is used to restore removable drive encryption to reimaged computers
Disk encryption recovery with BitLocker:
BitLocker Recovery Key is found under Active Directory Users and Computers (ADUC) in the Trusted Platform Module (TPM)
Access the ADUC <FQDN> CANES Users and Computers > Computers
Select the computer and click on the BitLocker Recovery tab to find the BitLocker Recovery Key</FQDN>
All Federal DoD information systems are required to use devices protected by the _____ and maintain encryption standard of _____ encryption Federal Information Processing Standards (FIPS)-140-2n
All Federal DoD information systems are required to use devices protected by the TPM and maintain encryption standard of AES 256-bit encryption Federal Information Processing Standards (FIPS)-140-2n
SEE
Symantec Endpoint Encryption
Is used for hard drive encryption
Bitlocker
Is used for removable media encryption
WinZip Secure Burn
DAR
Data at rest
Three Bitlocker status
Protection Status 0 – Protection OFF
Protection Status 1 – Protection ON (Unlocked)
Protection Status 2 – Protection ON (Locked)
is used to restore removable drive encryption to reimaged computers
Symantec Endpoint Encryption Manager > Symantec Endpoint Encryption Software Setup > Removable Media Encryption
NCVI
Navy Certificate Validation Infrastructure
CLO
Cryptographic Logon
UNCLAS enclave CLO logon uses certificates on
the CAC
SECRET enclave CLO logon uses a
Secret Internet Protocol Router Network (SIPRNet) Token
3 ways to login wsav CLI
- Putty: port 22 SSH (wsav.<FQDN>)</FQDN>
- vSphere: remote MRDS, vcsa select UNCLASS_WSAV
- Remote MRDS: Cisco WSAV Management Console Shortcut
SCSM
Microsoft system Center Service Manager software that manages incidents and problems
View the connectors that transfer data to SCSM
MRDS01 > Microsoft System Center > Service Manager Console > Administration > Connectors
SCOM
System Center Operations Manager
SCOM uses _____ to monitor communication channels between an agent and its management server
If heartbeats stop, no data is transmitted to the management server
A heartbeat is a packet of data sent by an agent every 60 seconds
Three missed heartbeats generate an alert, prompting the management server to ping the computer
If the computer does not respond to the ping, an alert is generated
MECM
Microsoft Endpoint Configuration Manager
Are groups of devices or users that can be created so they can be managed as a group
Collections
MECM dashboards have several options to visually represent system data
Navigate to MECM > Monitoring > Overview > Client Status > Client > Activity Dashboard
SIEM and SAM are the names of Virtual Machines (VMs).
What are the applications installed on those VMs?
Sentinel Server and Sentinel Agent Manager are the applications installed on those VMs.
SIEM heartbeat checking
Checks heartbeat every five minutes
Analysis begins after 12 mins of no heartbeat
Unknown status after 18 days of no heartbeat
Sentinel is the security and system log collector and
analyzer application for CANES.
for SW4 is the addition of two VMs
New in NetIQ SIEM
Microsoft System Center > Operations Console.
If the Server name field is blank
type: EM01 and click Connect.
Troubleshooting VoSIP/VoIP Phones – Basic and Factory Reset (cont.)
Prerequisites for Factory Reset and steps
For SCI enclave, the phone must be on a DHCP-enabled network
For SCI enclave, a valid TFTP server must be set in DHCP option 150 or option 66
The term62.default.loads file or the term42.default.loads and the files specified in that file should be available on the TFTP server that is specified by the DHCP packet
Unplug the power cable from the phone and then plug it back in
While the phone is powering up, and before the speaker button flashes on and off, press and hold #
Continue to hold # until each line button flashes (amber) on and off in sequence
Release # and press 123456789*0#
Once the factory reset is completed, perform the steps in the IETM for Manual Cisco SCI VoIP Phone Configuration
VTC
Video Teleconference
Force-Level ships support VTC on:
UNCLAS
SECRET
Sensitive Compartmented Information (SCI)
CANES VTC service includes the Cisco Precision High Definition (HD) camera that works with the
Cisco WEBEX CODEC in SW4 to provide full teleconferencing services to CANES
VTC interfaces with Network Operations Center (NOC), Broadcast Control Authority (BCA), and
Force-level platforms to exchange audio and video
All SCI VTCs, except for the SCI VTC testing conducted by the Global Helpdesk, are scheduled through the
Joint Worldwide Intelligence Communications System (JWICS) VTC Scheduling system via http://vcwizard.dodiis.ic.gov
Download Rules of Engagement and VTC Scheduling guides
Open a web browser and navigate to: http://www.jwics.ic.gov
Download the VTC Scheduling Guide by clicking VTC Engineering > Documents tab > VTC Scheduling Guide
This document will assist with navigating the scheduling wizard to set up an SCI VTC
VTC VLANs
UNCLAS: VLAN 183
SECRET: VLAN 283
SCI: VLAN 513 (Force-level ships only)
SCI: VLAN 520 (Force-level ships only)
VTC Operations
Most teleconferences will use a gatekeeper, meaning participants will call into a central location to join the conference
It may be necessary to bypass the gatekeeper to do a point-to-point teleconference
Before any underway, the VTC should be tested to ensure that all equipment and the connectivity of the system is in good working order
Prior to any scheduled VTC, testing of the equipment should be done the day prior and at least 30 minutes before the call
River City conditions may have to be made to control how much bandwidth a platform uses during a VTC
World Wide Web Publishing service
is required for web browsing
Half of people by name have issues with exchange
check the databases are mounted in ex01 and ex02
A new user doesn’t have access to USA User folders
User nationality might be wrong and the account has to be made again
Where to edit river city?
MRDS01 > WSAV
Web App doesn’t open
check the service WWW
Server time is out of sync
restart “Windows Time” service. run command w32tm /resync
Remote Procedure Call Error
Check network adapter from vSphere vcsa
Example in replication error check RODC
Quickest trouble shoot procedure when server goes down
Restart from last snapshot in vShere vcsa
Quickest trouble shoot procedure when server goes down
Restart from last snapshot in vShere vcsa
Services to check in NSIPS server (4)
PeopleSoft D:Apps, PeopleSoft PIA, OracleServiceNEDB, Oracle…Listener
User’s browser fix for NSIPS
Clear browsing cache
If account does’t show at “create user” after NSIPS “NSIPS Self-Service (New Users)”
Let admin know
IMS bandaid
Stop IMS message agent service
Stop process within IMS
Restart IMS message agent
People cannot access their emails
Check mounted data base
Servers > data base > ellipsis
View if anything is stuck in the outbox que
Check Queue Viewer in Exchange Toolbox
For in-depth Exchange settings
Create Scripts
Active Directory Administrative Center
2 River City components
WSAV and Exchange
How to access WSAV
MRDS01 wsav.FDQN
Web security manager
Policy groups
Disable River City
by diabling all groups (1-4)
To set River City 1 disable policy river city 2, 3, 4
When to look for SOPA watchwill
Tuesdays
Explore ship’s browsing
WSAV
monitor/wsa_user_report
How to set River City
MRDS01 wsav.FDQN
Web security manager
Policy groups
Disable River City
by diabling all groups (1-4)
To set River City 1 disable policy river city 2, 3, 4
Starting ACS services
Page 28 in PDF ACS 3.4 System Admin (CANES folder) <admin> sysadmin
- Will have to get to indicated directory
-omit services</admin>
Where to look for passwords
_CANES install
Where to update cyber 12 o’clocks
vram.navy.mil per network
Cybersecurity Readiness
- Last date scan, total, current , valid, percent scanned, RA NRA VPH
RA, NRA VPH
Remediation Available, No RA
Vulnerability per Host
Command to reset Cisco switch once Putty’d
reload
Break down RA/ NRA VPH (common remediation)
Detail View (windows updates/ sailor.com updates)
Personal for
Print out take it to captain annotate it on special handling log
Smell smoke
Cut power source
Report class and place to CSOOW
Test agent 45 second CO2 bottle
“The fire appears to be out”
Duty electrician determines when a Charlie fire is out
SIPR: COMMPLAN
Order of restoring: Enclosure 11 Overall restoral priority
Break down: Enclosure 12 Circuit Restoral Priority
First action during flooding?
Try closing valve
If abandoning space what to take with you?
Visitor’s log
Message log
Crypto inventory
CO2 bottle specs
4-6 feet
45 seconds
test
ground
Say fire is out:
“The fire appears to be out”
Who can determine a class Charlie fire is out
Duty electrician
Overall restoral priority found at
Enclosure 11, COMMS PLAN
ACAS
Assured Compliance Assessment Solution
ACAS functions (Tenable Security Center)
Discover what is in my network
Discover what vulnerabilities my systems have
Check if my systems are compatible with STIGs
Create reports on my assessments and vulnerabilities for CMRS
Who supports program management and supports the deployment of this solution?
The Defense Information Systems Agency (DISA) is a combat support agency of the U.S. Department of Defense (DoD). It provides secure and reliable communications, IT solutions, and cybersecurity capabilities to enable command and control, information sharing, and decision-making for military forces and other government stakeholders. DISA plays a critical role in ensuring global connectivity and interoperability for the DoD.
STIG
A Security Technical Implementation Guide or STIG is a configuration standard consisting of cybersecurity requirements for a specific product. The use of STIGs enables a methodology for securing protocols within networks, servers, computers, and logical designs to enhance overall security.
Nessus Agent
Lightweight agent installed in the clients
Tenable Security Center
Pushes updates, plugins, pulls results.
How does ACAS discovers assets?
Trace Route
Port Scanner
Host TTL Discovered
Ping
Types of vulnerability
Configuration
Implementation
Design
Examples of configuration vulnerability
Poorly Configured Firewall Rules: Allow unnecessary or overly permissive traffic through a firewall, potentially enabling attackers to access sensitive services or systems.
Web Servers Displaying Directory Contents: When no index.html or equivalent file exists, the server may expose the directory listing, revealing file names and paths that could aid attackers in identifying exploitable files.
FTP Servers with Publicly Readable/Writeable Incoming Directories: Allow unauthorized users to upload and download files, which could lead to data leaks, malware distribution, or abuse of the server for malicious purposes.
Examples of implementation vulnerability
Web Forms That Do Not Sanitize Data Before Passing It to a SQL Database: This can lead to SQL Injection attacks, where malicious input can manipulate database queries, potentially exposing or altering sensitive data.
Program That Allows for Buffer Overflows: A vulnerability where a program writes more data to a buffer than it can handle, potentially allowing attackers to overwrite memory, execute arbitrary code, or crash the system.
Websites That Allow XSS (Cross-Site Scripting) or CSRF (Cross-Site Request Forgery):
XSS: Exploits web pages to inject malicious scripts that run in a user’s browser, stealing cookies or sensitive data.
CSRF: Tricks a user into performing unwanted actions on a site where they are authenticated, potentially causing unauthorized changes or data exposure.
Examples of design vulnerability
Telnet: A protocol for remote communication that transmits data, including credentials, in plain text. This lack of encryption makes it vulnerable to eavesdropping and credential theft.
FTP (File Transfer Protocol): Like Telnet, FTP transmits data, including usernames and passwords, in plain text, making it susceptible to interception by attackers.
Berkeley “r” Services (e.g., rsh, rlogin, rexec): These services rely on trust-based authentication (like hostname-based trust), which is weak and easily spoofed. They lack encryption, exposing communication to interception and abuse.
SSH v1 (Man-in-the-Middle Attack): The first version of SSH (Secure Shell) has flaws in its key exchange process, making it vulnerable to man-in-the-middle (MITM) attacks. An attacker can intercept and alter the communication between two parties without detection. SSH v2 addresses these vulnerabilities with improved encryption and authentication mechanisms.
NASL
Nessus Attack Scripting Language
PASL
Code used by the plugins NNM- Passive Analysis Script Language for Nessus Network Monitor or Passive Scanner
What are the sources of security related data?
log files, HTTP traffic, login processes etc
The difference between active scanning and passive scanning lies in their methods and impact on the target system or network:
Active Scanning:
Definition: Actively interacts with the target system by sending probes or requests to gather information.
Examples: Port scanning, vulnerability scanning, or sending queries to detect open ports or services.
Impact: Can be detected by intrusion detection systems (IDS) or security logs due to the direct interaction.
Use Case: Identifying specific vulnerabilities or open services on a system.
Passive Scanning:
Definition: Observes network traffic or system activity without directly interacting with the target.
Examples: Monitoring network traffic via packet sniffing or analyzing publicly available information.
Impact: Stealthy and less likely to be detected by security measures, as it does not generate noticeable traffic.
Use Case: Gathering intelligence without alerting the target, such as during reconnaissance.
When performed on your own network, the difference between active and passive scanning is primarily about how each method interacts with your network systems and the type of information gathered:
Active Scanning:
How It Works: Actively probes devices on the network (e.g., via ping sweeps, port scans, or vulnerability scanners like Nessus).
Purpose: To identify open ports, services, misconfigurations, or vulnerabilities in real time.
Impact: Generates noticeable traffic on the network and may temporarily disrupt operations if scans are too aggressive.
Example Use Case: Testing for open ports, weak passwords, or outdated software.
Passive Scanning:
How It Works: Monitors and analyzes traffic passively without sending probes (e.g., using tools like Wireshark or network intrusion detection systems).
Purpose: To observe network activity, detect anomalies, and gather intelligence without affecting network performance.
Impact: Non-intrusive, with no risk of disrupting network operations.
Example Use Case: Monitoring for unauthorized devices or suspicious traffic patterns.
Data at rest and Data in motion
Data at Rest: Data stored on devices (e.g., hard drives, databases) and not actively moving. Protected via encryption and access controls.
Data in Motion: Data being transmitted over a network. Secured with encryption (e.g., TLS) to prevent interception.
Tenable Security Center communicates with _____ to send scanning instructions and receive results.
Associated Nessus Scanner
The Nessus manager can manage up to _____ Nessus Agents
10,000
What is a plugin in the context of Nessus?
In the context of Nessus, a plugin is a script or module that performs a specific check during a scan. Plugins are used to identify vulnerabilities, misconfigurations, or compliance issues. Each plugin is tailored to detect a particular condition, such as missing patches, outdated software, or weak configurations, using techniques like banner grabbing, file checks, or service analysis. Plugins are regularly updated by Tenable to include checks for newly discovered vulnerabilities.
Tenable generally releases Security Center and NNM updates _____, and Nessus updates are closer to _____
Tenable generally releases Security Center and NNM updates quarterly, and Nessus updates are closer to monthly or bi-monthly
DISA plugin servers and the Patch Repositories (NIPR and SIPR) are updated …
DISA plugin servers and the Patch Repositories (NIPR and SIPR) are updated daily. Contractually, plugins should be updated with IAVM data within 48 hours of the IAVM announcement. Note that not all Tenable products receive daily plugin updates from the COTS vendor, however sites should update plugins daily.
Source: Web Browser
Destination: Security Center
Port
Port 443 (inbound)
Source: Web Browser
Destination: Nessus Scanner / Manager
Port
Port 8834 (inbound)
Source: Web Browser
Destination: NNM Scanner
Port
Port 8835 (inbound)
Source: Security Center
Destination: NIPRNET / SIPRNET
Port
Port 443
Source: Security Center
Destination: Nessus Scanner / Manager
Port
Port 8834
Source: Security Center
Destination: NNM Scanner
Port
Port 8835
Source: Security Center
Destination: Security Center (Repository Sync)
Port
Optional: Port 22
Source: Nessus Agents
Destination: Nessus Manager
Port
Default: Port 8834
Recommended: 8934
Source:
Nessus Cluster
Child Node
Destination:
Nessus Cluster
Parent Node
Default: Port 8834
Recommended: 8934
Source: Nessus Scanner
Destination: Target
Port
No firewall or restrictions
Difference between Nessus and Tenable
Nessus is a product developed by Tenable, Inc., which is the company behind its creation and ongoing development. Tenable provides various cybersecurity solutions, and Nessus is one of their key offerings focused on vulnerability scanning and assessment.
NNM uses what language?
PASL
CMRS
Continuous Monitoring and Risk Scoring
tenable.sc
Tenable Security Center
Plugins relate to an IAVA which is
IAVA stands for Information Assurance Vulnerability Alert. It is a notification issued by the U.S. Department of Defense (DoD) to address and mitigate security vulnerabilities that could pose a significant risk to DoD information systems.
Tenable.sc, start scan or report button
“Launch”
Tenable.sc last updates
“Feeds”
Tenable.sc Zone
Group of IP address
In the context of Tenable Security Center, a repository is a
In the context of Tenable Security Center, a repository is a data storage container that organizes and stores vulnerability and scan data.
Manually and Automatically get plugins (Tenable)
Tenable updates plugins to both: DoD Patch Repository is manual, DISA Plugin server is automatically. Link for DoD Patch Repository link is available in the BPG
What to use Tenable Security Center and Nessus in Linux?
ACAS Kickstart
What to use Tenable Security Center and Nessus in Windows OS Virtual Machine?
In Linux virtual machines
Building blocks for Tenable Security Center
Policies
Zones
Organization (roles)
Plugins (scripts)
IP address you’re scanning need to be contained both in
repository and and definition of scan zone
DISA has approved Tenable Security Center to run only on what OS?
RHEL
Nessus Active Scan components
Credentials
Scan Schedule
Policy
Repository
Targets
Scan Zones (static IPs)
What file to check to see a different parameter for a plugin is acceptable?
Scan Policy Settings Spreadsheet
Scanning Freeze Window
Assets protected from scanning
Default scan zone is
Common ports
How to open downloaded scans (Nessus)
Wordpad
Create Nessus Report (Tenable Report)
Reports > Reports Result > Check box > Download
Where to acquire information about the Nessus Cyber Summary Report
BPG Appendix Q
Nessus Cyber Summary Report and what is needed for TASKORD compliance scanning.
Auditors will need to see no less than 90 days’ worth of scan data or report results that demonstrate the organization is consistently performing TASKORD compliance scanning. It is recommended to store report results offline or in other systems to demonstrate historical TASKORD compliance. This report can be used to show proof of 7 days’ worth of results that demonstrate the organization is consistently performing TASKORD compliance scanning. The report should be run weekly, 3 months prior to a CORA (previously called a CCRI.)
How do you share generated reports automatically? (NESSUS)
Distribution Tab
Share report to person in another organization (NESSUS)
email addresses
(NESSUS) What plugin is best to start with when issues with a scan?
19506
