Chapter 1: Understanding Security Fundamentals Flashcards
A concept used that has multiple protective layers so that if one layer of protection goes down, other layers will be in place to guard against hacking a company’s data.
Defense in Depth
Managers write these as sort of an organizational policies and procedures to help mitigate risks within companies.
Managerial Controls
Ex: Annual Risk Assessment,
Pentesting/vulnerability scanning.
Policies and procedures executed by personnel on a day-to-day basis.
Operational Controls
Ex: Annual Security Awareness Training, Change management, Business Continuity Plan
Policies and procedures implemented by the IT Team to reduce the risk of breaches to cyber security
Technical Controls
Ex: Firewall Rules, Antivrus, Screen savers, Screen filters, IPS/IDS
CCTV (Camera that captures crimes) and motion sensors
Deterrent Controls
Used when investigating an incident that has happened.
Detective Controls
Text files that record events that take place on devices like servers, desktops, and firewalls with details of what happened. Timestamps provide the time of attack. WORM helps to avoid tampering.
Log Files
The actions taken to correct and help guard against future attacks of the same nature.
Corrective Controls
Used when Primary controls are not available
Compensating Controls (Alternative or Secondary Controls)
Used to prevent any potential problems from occurring in the first place like a former employee getting onto a company server and tampering with data.
Preventative Controls
Consists of three main parts:
Identification, Authentication, and Authorization.
Access Controls
Examples include a smart card, Security Identifier, fingerprint reader
Identification
Used to verify access. Examples include a PIN, or password.
Authentication
This is the least amount of privilege given in order to have access to data needed to perform your job.
Authorization
Involves New Technology File System(NTFS) file permissions that give the bare minimum amount of privilege needed to perform your job.
Discretionary Access Control
Full Control Modify Read and Execute List Folder Contents Read Write
Access based on the label/level of the data.
Ex: Top Secret, Secret, Classified
Mandatory Access Control(MAC)
A rule that only applies to the people in that department and no one else can have access to that data because the rule doesn’t apply to them.
Rule-Based Access Control (RBAC)
Access is restricted based on an attribute in the account.
Attribute-Based Access Control
Individuals may be put into groups that have certain privileges so that simplifies access.
Group-Based Access Control
- Collection
- Examination
- Analysis
- Reporting
Forensic Cycle
The data is looked at, then pulled from the media that it is on, and changed to a format that it can then be examined by forensic tools.
Collection
Prior to being examined by a forensics tool, The data is hashed to ensure integrity so that once the investigation is over with, the data will have the same hash. This helps with it being used as evidence in court cases.
Examination
data that is analyzed and formatted so that it can be used as evidence.
Analysis
The evidence from the investigation is then used for a conviction.
Reporting
All evidence is admissible only if it pertains to the case and does not violate any laws or statutes.
Admissibility
Decisions have to be made to decide what evidence is the most perishable and needs to be secured first. We don’t stop the attack until we have secured the evidence and can identify the attack.
Order of Volatility
Companies may be subpoenaed so that evidence can be collected, reviewed, and interpret files on hardware devices or other forms of storage.
E-Discovery
Ensures that the evidence collected has not been tampered with or break the chain.
Chain of Custody
Evidence presented to the court that has not been tampered with.
Provenance
The process of protecting data that can be used as evidence.
Legal Hold
Evidence that has a time offset associated with it so that a time sequence can be made in a case that is multinational.
Time Offset
Evidence that is collected from multiple time zones will also be collected in a common time zone to establish time normalization.
Time Normalization
A copy of the evidence is made so that it can be tampered with while the original data is intact and not tampered.
Forensics Copy
System images are taken from laptops and desktops so that the original is left not tampered with and these copied images can be analyzed for criminal activity.
Capturing System Images
Attackers can reverse engineer this code, so it is important that we compare the evidence to the current source code to see if it was tampered with.
Firmware
If the evidence is from a machine, then a snapshot is taken for the investigation.
Snapshots
Mobile devices can geotag the evidence of breached applications or viruses.
Screenshots
System images and forensic copies are hashed at the beginning to compare to the end result hash to ensure integrity.
Hashing Forensic Evidence
Mostly involving a web-based or remote attack, we want to first capture the volatile network traffic before we stop the attack. By doing this, we can get a great idea of where the attack originated from.
Logs also will help with time, what exactly was changed and give an overall grasp on the nature of the attack.
Network Traffic and Logs
