Chap 8 - Security operations Flashcards
what are the common classification of an event
- precursor = signal that something will take place
- indicator = signal that something is taking place
what are the main issues log management addresses
- compliance and standards
- policies throughout the system and info lifecycle
- infrastructure
- generation, collection and normalization
- protection from creation to disposal (archiv/defens destruct
- review, analytics and reporting
what is an IDS
solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access
what is an IPS
solution that monitors environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access
IDS/IPS deployment
can be deployed as perimeter placement (DMZ) or host-based or network-based and be located at various physical and logical locations in the IT environment
how can IDS/IPS detect malicious activities
- deviation
- signatures
- pattern matching
- heuristic (machine learning algorithm)
what are the main tradeoff associated with IDS/IPS
- maintenance
- overhead
- false positive
- agility
what are types of SIEM deployments
- self-hosted, self-managed
- cloud SIEM, self-managed
- hybrid self hosted
- SIEM as a Service
what are the main functions of a SIEM
- aggregation = gather info across environment
- normalization = present data in meaningful ways
- correlation = probability that stream of log is of an attack
- secure storage = follow rule of evidence
- analysis = automatic analysis
- reporting
- real-time monitoring = threat detection across network
ingress monitoring
inbound communication traffic
tools:
- firewall
- gateway
- remote authentication servers
- IDS/IPS
Egress monitoring
outbound communication traffic
tools:
- DLP (through signature, pattern, labeling)
DLP can cover data at rest, in motion and in use
what are the main effort as part of data protection
- data discovery / classification / categorization
- monitoring
- enforcement (training, attribution, prevention)
what do we use regression testing for?
confirms that the systems’ behavior has been altered only in ways that the approved change should have caused and that no other anomalous behavior as resulted from changes
what is the Information Technology Infrastructure Library (ITIL)
widely adopted information technology change practices
what are the ITIL process level based on urgency
- standard changes
- emergency changes
- normal changes
what are the 2 important processes that come together via well-implemented change mgmt practices
- baselining
- provisioning
change initiation steps include
- identifying of change requirements
- risk assessment
- change prioritization
- documentation of the RFC
Change review & approval steps include
- evaluating the RFCs for completeness
- assignment to the proper change authorization process
- stakeholder review
- appropriate approvals or rejections
- documentation of approval or rejection
implementation and evaluation steps include
- scheduling the change
- testing the change
- verifying the rollback procedures
- implementing the change
- evaluating the change for proper operation
- documenting the change in the production
what are the practice of patching system challenges
- interoperability
- poorly craft patches
- required downtime
- virtualization-specific concerns
- timing
what are the best practices in patching system
- notice of patch
- determine applicability/evaluation
- determine potential impacts
- testing the patch
after approval ->
- perform a full backup prior to application
- apply the patch
- confirm installation of the patch for all target systems
verify operationality post-patch->
- solicit/receive user feedback
- document
or
- rollback if required
what are the main 4 change management activities
- change management
- vulnerability management
- patch management
- configuration management
when does an event becomes an incident?
when there is a possibility of harm
what are common business practices to handle incident
- incident detection
- assessment
- escalation
- communication
- recovery
- learning
what is the NIST computer security incident handling lifecycle
- preparation
- detection and analysis
- containment, eradication and recovery
- post-incident activity
what are the 4 phases of cyber forensics
- collection (of medias -> data)
- examination (of the data -> to find information)
- analysis (of the information -> to find evidence/artifacts)
- reporting (of the evidence/artifacts)
what are incident response team communication to key stakeholders
- customers (media)
- other response teams
- internet service providers
- incident reporters
- law enforcement agencies
- software and support vendors
what is the primary role of Security Operation Center (SOC)
ENABLE the organization’s senior leadership and management to make INFORMED DECISIONS about emergency or urgent actions to take to PROTECT THE ORGANIZATION from loss or impact
what are some types of event that might be a step of attack kill chain
- input buffer overflows
- endpoint/ removable media infections
- filenames containing unusual/ unprintable characters
- access control system notice
- unplanned restart
- unmanaged host or endpoint try to join network
- notice of unplanned configuration changes
- multiple login failed attempts
- email system alert of increase in bounced/refuse/junk mail
- unusual deviation in network traffic flows
what are the main approach to root cause analysis
- Pareto analysis = 80% value -> 20% effort
- 5 whys
- Fishbone diagram = visualization tool focusing on causes
- failure mode effects analysis = systematic identify failure
- Fault tree = applies to boolean logic
what are the main type on attack containment tactics
- logical or physical disconnection
- disconnect key server
- disconnect your internal network
- disabling wifi
- disabling outgoing and incoming connection to unknown
- disabling outgoing and incoming connection to all external
- disconnect from any extranets or VPNs
- disconnect all external access to system
- disable internal users, process or application
what is eradication process
process of identifying and then removing every instance of the causal agent and its associated files, executables and so forth from all elements of your system
what is recovery process
process by which the organization’s IT infrastructure, applications, data and workflows are reestablished and declared operational
what is the remediation process
activities to immediately limit or reduce the chance of reoccurrence of this type of attack
what is a SOAR
- security orchestration
- security automation
- security response
what is an allowed listing
permits only previously approved items to be executed and blocks execution of all others
what is block listing
explicitly prohibits application on the block list
what is a honeypot or honeynets
are machines that exist on the network but do not contain sensitive or valuable data (number of machines connected form a honey net)
they are not to be considered a mean to lure or attract the attention of malicious actors
is hackback legal
in almost all jurisdictions hackback is illegal, often with several penalties (US and UK it is a felony)
main steps that can be improved in organization to respond to ransomware
- back up data regularly
- separate backups from computer and the network backing
- physically isolate sensitive processes
- implement cross-domain solutions
- patch mgmt and legal software
- awareness training
- anti-malware tools
- IDS/IPS
- incident response readiness
- network segmentation for quarantine
- table top exercise
- define decision making process
- others including EDR / XDR / etc.
what is software defined security (SDS)
next generation of SOAR -> holistic approach
evolution from start
1. IAM
2. device label sec
3. Network IDS/IPS
4. SIEM
5. SOAR
6. SDS
types of security services provided by 3rd party
- threat hunting
- network monitoring
- physical security
- network mgmt
- audit
what are the main due diligence steps when contracting 3rd party
- review governance
- SLAs
- NDAs
- insurance/bonding
- audit/testing
- strong contract language
- regulator approval
what is the minimum protection in backup storage strategy
- 3 copies of the data (original + 2x backups)
- 2x different storage media type (magnetic/removable/cloud)
- one copy offsite
what are type of locations for backups
- onsite
- offsite
- Cloud backup as a service
what are types of backup
- Full backup
- differential backup: all change since last full backup
- incremental backup: new/change files since last full backup
- journaling: granular recovery of DB, rec. all transaction log
- Snapshot: virtualized storage that mirror data blocks
- Continuous data protection (CPD): form of snapshotting every time data block change
2 key consideration when backing up
Versioning: ability to conserve several versions of backups to eliminate the risk of losing all recovery capability (if one affected…)
Validation: each backup should be validated to ensure the copy is thorough and accurate
what are common recovery site strategies
- Mirrored: identical to original -> High availability & reliable
- Hot: similar to mirror but no latest data -> few hours deploy
- warm: no current version, no full equip. -> few days deploy
- cold: empty facility -> no HW/software ->few weeks/month
- mobile: portable facility -> HW only -> few days deploy
- Cloud: backup in CSP -> check SLAs for guarranty
- Joint operating agreement (JOA): usually gov. shared location
- multiple processing site: each site 50% capacity (active-active
what is the difference between active-active & active-passive
active-active: all sites operate normally, but at low capacity (e.g., 50%) if needed ability to transfer 100% on single site
active-passive: at least 1x site of cluster is not working on normal operations -> only brought online if disruption of the “Active system”
what are the key system resilience considreations
- sufficient spare components
- clustering of sites (e.g., active-active)
- power
- Uninterruptible power supplies (UPS)
- generators
what are the different types of Redundant Array of Independent Disk (RAID)
- RAID 0: no actual redundancy -> data striped
- RAID 1: mirroring
- RAID 2: legacy approach (not used)
- RAID 3 & 4: data striped across multi-drives & 1x drive parity
- RAID 5: Data & parity striped across multi-drives
- RAID 6: data strip & 2x set parity across mutli-drives
- RAID 0+1: data striped & mirror -> used by Cloud -> see SLA
- RAID 1+0 (10): data striped and duplicated simultaneously
- ## RAID 15 & 51: use of 1 and 5 -> high cost an impact on prod.
why apply physical security
protect from
- damage
- loss
- theft
what is Crime prevention through environmental design (CPTED)
- landscape to enforce sec. (no straight road, fence, river)
- areas isolation
- lightning system for movement detection
- guards
- doors/ windows with solid core
- locks
- etc.
what are type of protection to wired closets (server)
- secured room
- access to room monitored
- tamper protection
- environmental protection
- protection from lightning
- backup power
- HVAC system
- fire detection
- emergency shutoff
Heating, Ventilation and Air Conditioning (HVAC) security & safety protections
- redundancy
- detection of failure (sensors)
- HVAC control
- adequate cooling & airflow
what are the main environmental issues to consider
- hurricane
- tornado
- forest/wildfire
- earthquake
- tsunami
- flooding
- mudslides
what is the fire triangle
- fuel
- O2
- heat
what are the fires classes
EU -> US -> description -> counter
A -> A -> ordinary combustible -> water
B -> B -> flammable liquids -> Foam
E -> C -> Electrical -> CO2
D -> D -> flammable metals -> dry powder
F -> K -> commercial cooking equ -> chemicals
what are common types of water-based suppression systems
- wet-pipe
- dry pipe
- pre-action
- deluge
- aqueous firefighting foam (AFFF)
what are common Gas-based suppression system
- hydrofluorocarbon
- halon
- FM-200
- carbon dioxide (CO2)
- Argonite
- inergen
what are personal/security concerns when traveling
- secure remote access
- jurisdictional concerns
- personnel protection
- condition monitoring
what is duress
personnel should have a means to report to the organization if they are ever put under duress (threaten)
Darcy is designing a fault tolerant system and wants to implement RAID-5 for her system. What is the minimum number of physical hard disks she can use to build this system?
Three
RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.
Which one of the following is an example of physical infrastructure hardening?
A. Antivirus software
B. Hardware-based network firewall
C. Two-factor authentication
D. Fire suppression system
D. Fire suppression system
Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.
You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?
RAID
Redundant Array of Inexpensive Disks (RAID) uses additional hard drives to protect the server against the failure of a single device.
What does labelling data allow a DLP system to do?
The DLP system can detect labels and apply appropriate protections.
Data loss prevention (DLP) systems can use labels on data to determine the appropriate controls to apply to the data.
What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water?
Preaction
A preaction fire suppression system activates in two steps.
The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.
Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement?
Heartbeat sensor
Heartbeat sensors send periodic status messages from the alarm system to the monitoring center.
Which one of the following fire suppression systems uses a suppressant that is no longer manufactured due to environmental concerns?
Halon
Halon fire suppression systems use a chlorofluorocarbon (CFC) suppressant material that was banned in the Montreal Protocol because it depletes the ozone layer
Which one of the following humidity values is within the acceptable range for a data center operation?
Data center humidity should be maintained between 40% and 60%.
Values below this range increase the risk of static electricity, while values above this range may generate moisture that damages equipment.
What protocol is used to handle vulnerability management data?
The Security Content Automation Protocol (SCAP) is a community sourced specification for security flaw and security configuration information and is defined in NIST
Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, as well as how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?
CVSS
The Common Vulnerability Scoring System (CVSS)
includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, as well as a means to score vulnerabilities against users’ unique requirements.
When a Windows system is rebooted, what type of log is generated?
Information
Rebooting a Windows machine results in an information log entry.
