Chapter 1 Flashcards
1
Q
CIA Triad
A
- Confidentiality=prevents the unauthorized disclosure of information. It keeps secret information secret.
- Integrity=prevents the unauthorized alteration off of information or systems. It keeps our safe from intentional or accidental changes.
3.Availability=ensures authorized users are able to access information and systems when they need them.
2
Q
Encryption
A
Encryption scrambles data to make it unreadable by unauthorized personnel. Authorized personnel can decrypt the data to access it, but encryption techniques make it extremely difficult for unauthorized personnel to access encrypted data.
3
Q
AES
A
Advanced Encryption Standard
4
Q
PII
A
Personally Identifiable Information
5
Q
Access Controls
A
Identification, authentication, and authorization are the three core identity and access management activities that help ensure that only authorized personnel can access data.
Identification. Users claim an identity with a unique username.
Authentication. Users prove their identity with authentication, such as with a password.
Authorization. Next, you can grant or restrict access to resources using an authorization method, such as permissions.
Remember. Confidentiality ensures that data is only viewable by authorized users. The best way to protect the confidentiality of data is by encrypting it. This includes any type of data, such as PII, data in databases, and data on mobile devices. Access controls help protect confidentiality by restricting access.
6
Q
SHA
A
Secure Hash Algorithm
7
Q
md5sum.exe
A
You can use freeware such as md5sum.exe to calculate MD5 hashes.
8
Q
SPOF
A
single point of failure A common goal of fault tolerance and redundancy techniques is to remove each single point of failure (SPOF)
9
Q
Disk redundancies.
A
Fault-tolerant disks, such as RAID-1 (mirroring), RAID-5 (striping with parity), and RAID-10 (striping with a mirror), allow a system to continue to operate even if a disk fails.
10
Q
Server redundancies
A
Failover clusters include redundant servers and ensure a service will continue to operate, even if a server fails. In a failover cluster,the service switches from the failed server in a cluster to a redundant or standby server in the same cluster.
11
Q
Network redundancies.
A
Load balancing uses multiple servers to support a single service, such as a high-volume website. Network interface card (NIC) teaming can provide both redundancy support and increased bandwidth by putting two or more network cards in a single server.
12
Q
horizontal scaling
A
Adding additional servers
13
Q
Vertical scaling
A
Vertical scaling doesn’t add more servers, but instead adds resources, such as memory or processing power, to individual servers. For example, a server may have 16 GB of random-access memory (RAM) installed. Administrators can scale the system up by manually adding an additional 16 GB of RAM, giving it 32 GB. However, there is typically a limit to scalability based on the system. For example, a server may only support 32 GB of RAM. Once it has 32 GB of RAM, you can no longer scale up the RAM.
14
Q
Elasticity
A
Elasticity automates scalability by having the system add and remove resources as needed.
15
Q
TCO
A
Total cost of ownership
16
Q
TCP
A
Transmission Control Protocol
17
Q
Resiliency
A
A current trend is to increase the resiliency of systems rather than seek the highest possible availability. This ensures that systems are reliable but without the high cost associated with highly available systems. (such as an uninterruptible power supply or generators), network interface card (NIC) teaming, or redundant disks. If power fails, or one of the NICs stops receiving traffic, or one of the disk drives fails, the system can quickly recover.
18
Q
Risk
A
Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss.
19
Q
threat
A
A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.
20
Q
vulnerability
A
A vulnerability is a weakness. It can be a weakness in the software, the configuration, or even the users operating the system.
21
Q
security incident
A
A security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of an organization’s information technology (IT) systems and data.This includes intentional attacks, malicious software (malware) infections, accidental data loss, and much more.
22
Q
Risk mitigation
A
reduces the chances that a threat will exploit a vulnerability or the impact that the risk will have on the organization if it does occur. You reduce risks by implementing controls (also called countermeasures and safe measures.
23
Q
Technical controls
A
TYPE OF Security Controls. use technology such as hardware, software, and firmware to reduce risk.
24
Q
Managerial controls
A
TYPE OF Security Control. are primarily administrative in function. They are typically documented in an organization’s security policy and focus on managing risk.
25
Operational controls
TYPE OF Security Controls. help ensure that the day-to-day operations of an organization comply with the security policy. People implement them.
26
Physical controls
TYPE OF Security Controls. impact the physical world, such as locks on doors, fences, security guards, and other objects that you can physically touch.
27
Preventive controls
attempt to prevent an incident from occurring.
28
Detective controls
attempt to detect incidents after they have occurred
29
Corrective controls
attempt to restore normal operations after an incident occurs.
30
Deterrent controls
attempt to discourage individuals from causing an incident.
31
Compensating controls
are alternative controls used when a primary control is not feasible.
32
Control Categories
The control categories (technical, managerial, operational, and physical) describe how the control works. Technical controls use technology to achieve their goals. Managerial controls use administrative functions. Operational controls are implemented by operational staff. Physical controls use physical safeguards.
33
Encryption
Encryption. Encryption is a strong technical control used to protect the confidentiality of data. This includes data transferred over a network as well as data stored on devices like servers, desktop computers, and mobile devices.
34
Antivirus software.
Technical Control Category. Once installed, the antivirus software provides protection against malware infection.
35
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)
Technical Control Category: IDSs and IPSs can monitor a network or host for intrusions and provide ongoing protection against various threats.
36
Firewalls
Technical Control Category: Network firewalls restrict network traffic going in and out of a network.
37
Least privilege
Technical Control Category: The least privilege principle specifies that individuals or processes are granted only the privileges they need to perform their assigned tasks or functions, but no more. Privileges are a combination of rights and permissions.
38
Risk assessments.
Managerial Controls: These help organizations quantify and qualify risks within an organization so that team members can focus on the serious risks. For example, a quantitative risk assessment uses cost and asset values to quantify risks based on monetary values. A qualitative risk assessment uses judgments to categorize risks based on probability and impact.
39
Vulnerability assessments
Managerial Controls: A vulnerability assessment attempts to discover current vulnerabilities. When necessary, additional controls are implemented to reduce the risk from these vulnerabilities.
40
Awareness and training.
Operational Control type: The importance of training to reduce risks cannot be overstated. Training helps users maintain password security, follow a clean desk policy, understand threats such as phishing and malware, and much more.
41
Configuration management
Operational Control type: Configuration management often uses baselines to ensure that systems start in a secure, hardened state. Change management helps ensure that changes don’t result in unintended configuration errors.
42
Media protection
Media includes physical media such as USB flash drives, external and internal drives, and backup tapes. That media may contain sensitive information and must be protected against loss or theft. Media protection policies describe how you use backups and encryption to protect media containing sensitive information.
43
Hardening
Hardening is the practice of making a system or application more secure than its default configuration. This uses a defense-in-depth strategy with layered security. It includes disabling unnecessary ports and services, implementing secure protocols, keeping a system patched, using strong passwords along with a robust password policy, and disabling default and unnecessary accounts.
44
Training.
Ensuring that users are aware of security vulnerabilities and threats helps prevent incidents. Users who understand how social engineers operate are less likely to be tricked. For example, uneducated users might be tricked into giving a social engineer their passwords, but educated users will see through the tactics and keep their passwords secure.
45
Security guards
Guards prevent and deter many attacks. For example, guards can prevent unauthorized access into secure areas of a building by first verifying user identities. Although a social engineer might attempt to fool a receptionist into letting him into a secure area, the presence of a guard will deter many social engineers from even trying these tactics.
46
Account disablement process.
An account disablement process ensures that user accounts are disabled when an employee leaves the organization. This prevents anyone, including ex-employees, from continuing to use these accounts.
47
IPS
Intrusion prevention system An IPS can block malicious traffic before it reaches a network. This prevents security incidents.
48
Deterrent Controls
Deterrent controls attempt to discourage a threat. Some deterrent controls attempt to discourage potential attackers from attacking, and others attempt to discourage employees from violating a security policy.
49
Warning signs
A Deterrent Control. Signs around the outside of a facility may warn potential intruders that the facility is monitored. The only purpose of these signs is to deter an intruder from even trying to break into the facility.
50
Login banners
Login banners on computer systems are the digital version of warning signs. Before a user enters a username and password, they see a message warning them that attempting to access the system without permission is a crime.
51
Detective Controls
Although preventive and deterrent controls attempt to prevent security incidents, some incidents will still occur. Detective controls attempt to detect when vulnerabilities have been exploited, resulting in a security incident. The important point is that detective controls discover the event after it has occurred.
52
Log monitoring
Detective Controls: Several different logs record details of activity on systems and networks. For example, firewall logs record details of all traffic that the firewall blocked. By monitoring these logs, it’s possible to detect incidents. Some automated methods of log monitoring automatically detect potential incidents and report them right after they’ve occurred.
53
SIEM
Security information and event management (SIEM) systems. In addition to monitoring logs to detect any single incident, you can also use SIEMs to detect trends and raise alerts in real time. By analyzing past alerts, you can identify trends, such as an increase of attacks on a specific system.
54
Security audit.
Detective control: Security audits can examine the security posture of an organization. For example, an account audit can determine if personnel and technical policies are implementing account policies correctly.
55
Video surveillance
Detective control: A closed-circuit television (CCTV) system can record activity and detect events that have occurred. It’s worth noting that video surveillance can also be used as a deterrent control.
56
Motion detection
Detective control. Many alarm systems can detect motion from potential intruders and raise alarms.
57
IDS
Detective control: Intrusion detection system: An IDS can detect malicious traffic after it enters a network. It typically raises an alarm to notify IT personnel of a potential attack.
58
Corrective Controls
Corrective controls attempt to reverse the impact of an incident or problem after it has occurred. Their purpose is to get things back to normal as quickly as possible after an incident takes place. They restore the confidentiality, integrity, and/or availability that was affected by the incident.
59
Backups and system recovery.
Corrective controls: Backups ensure that personnel can recover data if it is lost or corrupted and system recovery procedures ensure administrators can recover a system after a failure.
60
Incident handling processes.
Corrective controls: Incident handling processes define steps to take in response to security incidents. This typically starts with an incident response policy and an incident response plan.
61
Compensating Controls
Compensating controls are alternative controls used instead of a primary control. For example, an organization might require employees to use smart cards when authenticating to a system. However, it might take time for new employees to receive their smart card. To allow new employees to access the network and still maintain a high level of security, the organization might choose to implement a Time-based One-Time Password (TOTP) as a compensating control. The compensating control still provides a strong authentication solution.
62
Directive Controls
Directive controls are designed to provide instruction to individuals on how they should handle security-related situations that arise. These are generally written documents that provide instructions rather than technical mechanisms that enforce a goal.
63
Policies, standards, procedures, and guidelines.
Security professionals use many different types of documents to direct actions. Policies provide high-level goal statements for the organization. Standards describe how to configure systems, applications, and security controls properly. Procedures offer step-by-step guidance on achieving a goal. Guidelines offer advice on achieving goals.
64
Change management
Change management ensures that changes don’t result in unintended outages. In other words, instead of administrators making changes whenever they’d like, they submit the change to a change management process. Notice that change management is an operational control which attempts to prevent incidents. In other words, it’s both an operational and directive control.
65
/var/log/secure
This log contains information related to the authentication and authorization of user sessions.
66
/var/log/
67
cat command
You can view logs using the system log viewer on Linux systems or by using the cat command from the terminal. As an example, you can view the authentication log (auth.log) with the following command: cat /var/log/auth.log
68
/var/log/syslog and/or /var/log/messages
They contain a wide variety of general system messages. This includes messages logged during startup, messages related to mail, the kernel, and other system activities.
69
Network Logs
Network logs record traffic on the network. These logs are on a variety of devices such as routers, firewalls, web servers, and network intrusion detection/prevention systems. You can typically manipulate these devices to log specific information, such as logging all traffic that the device passes, all traffic that the device blocks, or both. These logs are useful when troubleshooting connectivity issues and when identifying potential intrusions or attacks.
70
Firewall Logs
Firewalls serve as the border guards of the network. They decide what traffic is allowed to enter and leave the network and what traffic will be blocked. You’ll learn more about how firewalls work in Chapter 3. Firewalls are also an excellent source of log information because they can track every attempt to access the network and create detailed logs recording that information.
71
IDS/IPS Logs
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) monitor networks for malicious activity. IDS simply alert administrators to possible intrusions while IPS go further and try to block suspicious content. Because of the important security roles that they play, IDS and IPS systems are also excellent sources of security log data.
72
Packet Captures
Protocol analyzers (sometimes called sniffers) capture network traffic allowing administrators to view and analyze individual packets. Investigators looking into an active security incident may use a packet capture tool like Wireshark to capture network traffic related to the incident that they can later examine in careful detail to reconstruct what happened.
73
Metadata
Metadata is data that provides information about other data. Many applications store metadata about files and messages that can be very helpful to security investigators. For example, Figure 1.4 shows a portion of the metadata from an email message. Every email message contains this detailed information about how the email was routed, but it is normally hidden from the user’s view.
74
SIEM Systems
security information and event management (SIEM) system provides a centralized solution for collecting, analyzing, and managing data from systems, applications, and infrastructure devices. It combines the services of security event management (SEM) and security information management (SIM) solutions. A SEM provides real-time monitoring, analysis, and notification of security events, such as suspected security incidents. A SIM provides long-term storage of data, along with methods of analyzing the data looking for trends or creating reports needed to verify compliance with laws or regulations. SIEM systems are very useful in large enterprises that have massive amounts of data and activity to monitor. Consider an organization with over 1,000 servers. When an incident occurs on just one of those servers, administrators need to know about it as quickly as possible. A benefit is that SIEM systems use scripts to automate the monitoring and reporting.
75
Log collectors.
The SIEM collects log data from devices throughout the network and stores these logs in a searchable database.
76
Data inputs.
SIEM feature: entries come from various sources, such as firewalls, routers, network intrusion detection, and prevention systems. They can also come from any system or application an organization wants to monitor, such as web servers, proxy servers, and database servers.
77
Log aggregation
SIEM feature. Aggregation refers to combining several dissimilar items into a single similar format. The SIEM system collects data from multiple systems, and these systems typically format log entries differently. However, the SIEM system can aggregate the data and store it so it is easy to analyze and search.
78
Correlation engine.
SIEM feature: A correlation engine is a software component used to collect and analyze event log data from various systems within the network. It typically aggregates the data looking for common attributes. It then uses advanced analytic tools to detect patterns of potential security events and raises alerts. System administrators can then investigate the alert. Advanced analytic tools to detect patterns of potential security events and raises alerts. System administrators can then investigate the alert.
79
Automated reports.
Most SIEM systems include multiple built-in reports. These are typically grouped in different categories, such as network traffic event monitoring, device events (such as events on border firewalls), threat events, logon/logoff events, compliance with specific laws, and more. Additionally, security professionals can create their own reports by specifying filters.
80
User behavior analysis.
SIEM feature. User behavior analysis (UBA) focuses on what users are doing, such as application and network activity. Some UBA processes watch critical files looking for who accessed them, what they did, and how frequently they access these files. UBA typically looks for abnormal patterns of activity that may indicate malicious intent.
81
Security alerts.
A SIEM typically comes with predefined alerts, which can provide continuous monitoring of systems and provide notifications of suspicious events. For example, if it detects a port scan on a server, it might send an email to an administrator group or display the alert on a heads-up display. SIEMs also include the ability to create new alerts.
82
Automated triggers.
A SIEM feature. Triggers cause an action in response to a predefined number of repeated events. As an example, imagine a trigger for failed logins is set at five. If an attacker repeatedly tries to log on to a server using Secure Shell (SSH), the server’s log will show the failed login attempts. When the SIEM detects more than five failed SSH logins, it can change the environment and stop the attack. It might modify a firewall to block these SSH login attempts or send a script to the server to temporarily disable SSH. A SIEM includes the ability to modify predefined triggers and create new ones.
83
Time synchronization.
All servers sending data to the SIEM should be synchronized with the same time. This becomes especially important when investigating an incident so that security investigators know when events occurred. Additionally, large organizations can have locations in different time zones. Each of these locations might have servers sending data to a single centralized SIEM. If the server logs use their local time, the SIEM needs to ensure that it compensates for the time offset. The Network Time Protocol (NTP) provides a way to keep the system clocks of all devices in an organization synchronized.
84
Archiving
SIEMs handle massive amounts of information and can’t keep it all on active storage. That would be too expensive. Instead, they provide the ability to move older logs offline to cheaper storage where they are not immediately accessible but can be restored if needed later.
85
NTP
Network Time Protocol
86
Alert Tuning
A challenge with triggers and alerts is tuning the sensitivity levels to limit false positives while avoiding false negatives.
87
SIEM Dashboards
Sensors. Many SIEM systems use agents placed on systems throughout a network. These collect logs from devices and send these logs to the SIEM system. Dashboards can display data received from these agents.
Alerts. After setting triggers in a SIEM system, it sends out alerts when the event occurs. These alerts may trigger specific responses (such as sending an email to a group), but they are also displayed in the dashboard.
Correlation. As log entries arrive at the SIEM system, it correlates and analyzes the data. Administrators can configure the dashboard to display this data in multiple ways depending on their needs.
Trends. As the SIEM system is analyzing the data, it can identify trends. For example, if there is suddenly a high rate of failed logins, it can identify the trend and raise an alert. Many SIEM systems display trends in graphs allowing users to digest a lot of information in a single picture.
88
89
