CHAPTER 11_Security Operations Flashcards
Bullets: Output should not be able to be rerouted
. Diagnostic output from a system can contain sensitive information. The diagnostic log files, including console output, must be protected by access controls from being read by anyone other than authorized administrators. Unauthorized users must not be able to redirect the destination of diagnostic logs and console output.
Emphasis: Personnel testing
• Personnel testing includes reviewing employee tasks and thus identifying vulnerabilities in the standard practices and procedures that employees are instructed to follow, demonstrating social-engineering attacks and the value of training users to detect and resist such attacks, and reviewing employee policies and procedures to ensure those security risks that cannot be reduced through physical and logical controls are met with the final control category: administrative.
Emphasis: Password Cracking
Password CrackingChapter 3 discussed access control and authentication methods in depth. Although there are various ways of authenticating a user, most of the time a static password is the method of choice for many companies. The main reason for this is that the computing society is familiar with using static passwords. It is how many systems and applications have their authentication processes coded, and it is an easier technique to maintain—and cheaper—than other options such as smart cards or biometrics.
Bullets: Configures and maintains security labels in mandatory access control (MAC) environments
MAC environments, mostly found in government and military agencies, have security labels set on data objects and subjects. Access decisions are based on comparing the object’s classification and the subject’s clearance, as covered extensively in Chapter 3. It is the responsibility of the security administrator to oversee the implementation and maintenance of these access controls.
Bullets: Countermeasure
Ensure that security patches to operating systems—after sufficient testing—are promptly deployed in the environment to keep the window of vulnerability as small as possible.
Explanations: Unusual or Unexplained Occurrences
Networks, and the hardware and software within them, can be complex and dynamic. At times, conditions occur that are at first confusing and possibly unexplainable. It is up to the operations department to investigate these issues, diagnose the problem, and come up with a logical solution.
Emphasis: spoof
It is very easy to spoof e-mail messages, which means to alter the name in the From field. All an attacker needs to do is modify information within the Preferences section of his mail client and restart the application. As an example of a spoofed e-mail message, an attacker could change the name in the From field to the name of the network administrator and send an e-mail message to the CEO’s secretary, telling her the IT department is having problems with some servers and needs her to change her network logon to “password.” If she receives this e-mail and sees the From field has the network administrator’s name in it, she will probably fulfill this request without thinking twice.
Bullets: Internal and external labeling
of each piece of media in the library should include
Emphasis: system reboot
A system reboot takes place after the system shuts itself down in a controlled manner in response to a kernel (trusted computing base) failure. If the system finds inconsistent object data structures or if there is not enough space in some critical tables, a system reboot may take place. This releases resources and returns the system to a more stable and safer state.
Emphasis: protocol analyzers
A network sniffer is a tool that monitors traffic as it traverses a network. Administrators and network engineers often use sniffers to diagnose network problems. Sniffers are also referred to as network analyzers or protocol analyzers. When used as a diagnostic tool, a sniffer enables the administrator to see what type of traffic is being generated in the hope of getting closer to the root of the network problem. When a sniffer is used as a tool by an attacker, the sniffer can capture usernames, passwords, and confidential information as they travel over the network.
Bullets: Man-in-the-middle attack
An intruder injects herself into an ongoing dialog between two computers so she can intercept and read messages being passed back and forth. These attacks can be countered with digital signatures and mutual authentication techniques.
Explanation Bullets: An operating system’s response to a type of failure can be classified as one of the following:
- System reboot
- Emergency system restart
- System cold start
Bullets: Ensuring environmental conditions do not endanger media
. Each media type may be susceptible to damage from one or more environmental influences. For example, all media formats are susceptible to fire, and most are susceptible to liquids, smoke, and dust. Magnetic media formats are susceptible to strong magnetic fields. Magnetic and optical media formats are susceptible to variations in temperature and humidity. A media library and any other space where reference copies of information are stored must be physically built so all types of media will be kept within their environmental parameters, and the environment must be monitored to ensure conditions do not range outside of those parameters. Media libraries are particularly useful when large amounts of information must be stored and physically/environmentally protected so that the high cost of environmental control and media management may be centralized in a small number of physical locations, and so that cost is spread out over the large number of items stored in the library.
Bullets: File and directory permissions
Many of the previously described attacks rely on inappropriate file or directory permissions—that is, an error in the access control of some part of the system, on which a more secure part of the system depends. Also, if a system administrator makes a mistake that results in decreasing the security of the permissions on a critical file, such as making a password database accessible to regular users, an attacker can take advantage of this to add an unauthorized user to the password database, or an untrusted directory to the dynamic load library search path.
Bullets: Tracking the number and location of backup versions
(both onsite and offsite). This is necessary to ensure proper disposal of information when the information reaches the end of its lifespan, to account for the location and accessibility of information during audits, and to find a backup copy of information if the primary source of the information is lost or damaged.
Emphasis: shoulder surfing
Another type of browsing attack is called shoulder surfing, where an attacker looks over another’s shoulder to see items on that person’s monitor or what is being typed in at the keyboard.
Explanations: email Relaying
Could you please pass on this irritating message that no one wants?Response: Sure.
Emphasis: double-blind test
A double-blind test (stealth assessment) is also a blind test to the assessor as mentioned previously, plus the security staff is not notified. This enables the test to evaluate the network’s security level and the staff’s responses, log monitoring, and escalation processes, and is a more realistic demonstration of the likely success or failure of an attack.
Explanations: Operational Responsibilities
Operations security encompasses safeguards and countermeasures to protect resources, information, and the hardware on which the resources and information reside. The goal of operations security is to reduce the possibility of damage that could result from unauthorized access or disclosure by limiting the opportunities of misuse.
Explanation Bullets: Numerous changes can take place in a company, some of which are as follows:
- New computers installed
- New applications installed
- Different configurations implemented
- Patches and updates installed
- New technologies integrated
- Policies, procedures, and standards updated
- New regulations and requirements implemented
- Network or system problems identified and fixes implemented
- Different network configuration implemented
- New networking devices integrated into the network
- Company acquired by, or merged with, another company
Explanations: Session Hijacking
Many attackers spoof their addresses, meaning that the address within the frame that is used to commit the attack has an IP address that is not theirs. This makes it much harder to track down the attacker, which is the attacker’s purpose for spoofing in the first place. This also enables an attacker to hijack sessions between two users without being noticed.
Explanations: email Security
The Internet was first developed mainly for government agencies and universities to communicate and share information, but today businesses need it for productivity and profitability. Millions of individuals also depend upon it as their window to a larger world and as a quick and efficient communications tool.
Emphasis: Grid computing
Grid computing is another load-balanced parallel means of massive computation, similar to clusters, but implemented with loosely coupled systems that may join and leave the grid randomly. Most computers have extra CPU processing power that is not being used many times throughout the day. So some smart people thought that was wasteful and came up with a way to use all of this extra processing power. Just like the power grid provides electricity to entities on an as-needed basis (if you pay your bill), computers can volunteer to allow their extra processing power to be available to different groups for different projects. The first project to use grid computing was SETI (Search for Extraterrestrial Intelligence), where people allowed their systems to participate in scanning the universe looking for aliens who are trying to talk to us.
Explanations: How e-mail Works
I think e-mail is delivered by an e-mail fairy wearing a purple dress.Response: Exactly.
Emphasis: Targeted tests
Targeted tests can involve external consultants and internal staff carrying out focused tests on specific areas of interest. For example, before a new application is rolled out, the team might test it for vulnerabilities before installing it into production. Another example is to focus specifically on systems that carry out e-commerce transactions and not the other daily activities of the company.
Explanations: Backdoors
Chapter 4 discussed backdoors and some of the potential damage that can be caused by them. It also looked at how backdoors are inserted into the code so a developer can access the software at a later time, bypassing the usual security authentication and authorization steps. Now we will look at how and why attackers install backdoors on victims’ computers.
Explanation Bullets: The goals of the assessment are to
- Evaluate the true security posture of an environment (don’t cry wolf, as discussed earlier).
- Identify as many vulnerabilities as possible, with honest evaluations and prioritizations of each.
- Test how systems react to certain circumstances and attacks, to learn not only what the known vulnerabilities are (such as this version of the database, that version of the operating system, or a user ID with no password set), but also how the unique elements of the environment might be abused (SQL injection attacks, buffer overflows, and process design flaws that facilitate social engineering).
- Before the scope of the test is decided and agreed upon, the tester must explain the testing ramifications. Vulnerable systems could be knocked offline by some of the tests, and production could be negatively affected by the loads the tests place on the systems.
Emphasis: server cluster
Clustering is a fault-tolerant server technology that is similar to redundant servers, except each server takes part in processing services that are requested. A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system. Clustering provides for availability and scalability. It groups physically different systems and combines them logically, which provides immunity to faults and improves performance. Clusters work as an intelligent unit to balance traffic, and users who access the cluster do not know they may be accessing different systems at different times. To the users, all servers within the cluster are seen as one unit. Clusters may also be referred to as server farms.
Emphasis: single point of failure
A single point of failure poses a lot of potential risk to a network, because if the device fails, a segment or even the entire network is negatively affected. Devices that could represent single points of failure are firewalls, routers, network access servers, T1 lines, switches, bridges, hubs, and authentication servers—to name a few. The best defenses against being vulnerable to these single points of failure are proper maintenance, regular backups, redundancy, and fault tolerance.
Emphasis: Do too many users have rights and privileges to sensitive or restricted data or resources?
• Do too many users have rights and privileges to sensitive or restricted data or resources? The answer would indicate whether access rights to the data and resources need to be reevaluated, whether the number of individuals accessing them needs to be reduced, and/or whether the extent of their access rights should be modified.
Bullets: Fake login screens
A fake login screen is created and installed on the victim’s system. When the user attempts to log into the system, this fake screen is presented to the user, requesting he enter his credentials. When he does so, the screen captures the credentials and exits, showing the user the actual login screen for his system. Usually the user just thinks he mistyped his password and attempts to authenticate again without knowing anything malicious just took place. A host-based IDS can be used to detect this type of activity.
Bullets: Buffer overflows
Poor programming practices, or sometimes bugs in libraries, allow more input than the program has allocated space to store it. This overwrites data or program memory after the end of the allocated buffer, and sometimes allows the attacker to inject program code and then cause the processor to execute it. This gives the attacker the same level of access as that held by the program that was attacked. If the program was run as an administrative user or by the system itself, this can mean complete access to the system.
Explanation Bullets: Quick Tips
- Facilities that house systems that process sensitive information should have physical access controls to limit access to authorized personnel only.
- Data should be classified, and the necessary technical controls should be put into place to protect its integrity, confidentiality, and availability.
- Hacker tools are becoming increasingly more sophisticated while requiring increasingly less knowledge by the attacker about how they work.
- Quality assurance involves the verification that supporting documentation requirements are met.
- Quality control ensures that an asset is operating within accepted standards.
- System and audit logs should be monitored and protected from unauthorized modification.
- Repetitive errors can indicate lack of training or issues resulting from a poorly designed system.
- Sensitive data should not be printed and left at stand-alone printers or fax devices.
- Users should have the necessary security level to access data and resources, but must also have a need to know.
- Clipping levels should be implemented to establish a baseline of user activity and acceptable errors.
- Separation of responsibilities and duties should be in place so that if fraud takes place, it requires collusion.
- Sensitive information should contain the correct markings and labels to indicate the corresponding sensitivity level.
- Contract and temporary staff members should have more restrictive controls put upon their accounts.
- Access to resources should be limited to authorized personnel, applications, and services and should be audited for compliance to stated policies.
- Change control and configuration management should be put in place so changes are approved, documented, tested, and properly implemented.
- Activities that involve change management include requesting a change, approving a change, documenting a change, testing a change, implementing a change, and reporting to management.
- Systems should not allow their bootup sequences to be altered in a way that could bypass operating system security mechanisms.
- Potential employees should have background investigations, references, experience, and education claims checked out.
- Proper fault-tolerant mechanisms should be put in place to counter equipment failure.
- Antivirus and IDS signatures should be updated on a continual basis.
- System, network, policy, and procedure changes should be documented and communicated.
- When media is reused, it should contain no residual data.
- Media holding sensitive data must be properly purged, which can be accomplished through zeroization, degaussing, or media destruction.
- Life-cycle assurance involves protecting a system from inception to development to operation to removal.
- The key aspects of operations security include resource protection, change control, hardware and software controls, trusted system recovery, separation of duties, and least privilege.
- Least privilege ensures that users, administrators, and others accessing a system have access only to the objects they absolutely require to complete their job.
- Vulnerability assessments should be done on a regular basis to identify new vulnerabilities.
- The operations department is responsible for any unusual or unexplained occurrences, unscheduled initial program loads, and deviations from standards.
- Standards need to be established that indicate the proper startup and shutdown sequence, error handling, and restoration procedures.
- A teardrop attack involves sending malformed fragmented packets to a vulnerable system.
- Improper mail relay configurations allow for mail servers to be used to forward spam messages.
- Phishing involves an attacker sending false messages to a victim in the hopes that the victim will provide personal information that can be used to steal their identity.
- A browsing attack occurs when an attacker looks for sensitive information without knowing what format it is in.
- A fax encryptor encrypts all fax data leaving a fax server.
- A system can fail in one of the following manners: system reboot, emergency system restart, and system cold start.
- The main goal of operations security is to protect resources.
- Operational threats include disclosure, theft, corruption, interruption, and destruction.
- Operations security involves balancing the necessary level of security with ease of use, compliance, and cost constraints.
Remote Administration : To gain the benefits of remote access without taking on unacceptable risks, remote administration needs to take place securely. The following are just a few of the guidelines to use:
- Commands and data should not take place in cleartext (that is, they should be encrypted). For example, Secure Shell (SSH) should be used, not Telnet.
- Truly critical systems should be administered locally instead of remotely.
- Only a small number of administrators should be able to carry out this remote functionality.
- Strong authentication should be in place for any administration activities.
- Anyone who wears green shoes really should not be able to access these systems. They are weird.
Emphasis: Mean Time Between Failures
Mean Time Between FailuresMean time between failures (MTBF) is the estimated lifespan of a piece of equipment. MTBF is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. Either based on historical data or scientifically estimated by vendors, it is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until its final death.
Emphasis: Mean time between failures (MTBF)
Mean time between failures (MTBF) is the estimated lifespan of a piece of equipment. MTBF is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. Either based on historical data or scientifically estimated by vendors, it is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until its final death.
Emphasis: Security and Network Personnel
Security and Network PersonnelThe security administrator should not report to the network administrator, because their responsibilities have different focuses. The network administrator is under pressure to ensure high availability and performance of the network and resources and to provide the users with the functionality they request. But many times this focus on performance and user functionality is at the cost of security. Security mechanisms commonly decrease performance in either processing or network transmission because there is more involved: content filtering, virus scanning, intrusion detection prevention, anomaly detection, and so on. Since these are not the areas of focus and responsibility of many network administrators, a conflict of interest could arise. The security administrator should be within a different chain of command from that of the network personnel to ensure that security is not ignored or assigned a lower priority.
Emphasis: Network and Resource Availability
Network and Resource AvailabilityIn the triangle of security services, availability is one of the foundational components, the other two being confidentiality and integrity. Network and resource availability often is not fully appreciated until it is gone. That is why administrators and engineers need to implement effective backup and redundant systems to make sure that when something happens (and something will happen), users’ productivity will not be drastically affected.
Emphasis: acceptable use policy
Companies should have an acceptable use policy, which indicates what software users can install and informs users that the environment will be surveyed from time to time to verify compliance. Technical controls should be emplaced to prevent unauthorized users from being able to install unauthorized software in the environment.
Bullets: System-forced shutdown should not be allowed
. To reduce the possibility of an unauthorized configuration change taking effect, and to reduce the possibility of denial of service through an inappropriate shutdown, only administrators should have the ability to instruct critical systems to shut down.
Bullets: Teardrop
This attack sends malformed fragmented packets to a victim. The victim’s system usually cannot reassemble the packets correctly and freezes as a result. Countermeasures to this attack are to patch the system and use ingress filtering to detect these packet types.
Explanations: Hack and Attack Methods
Several types of attacks have been explained in the chapters throughout this book. This section brings together these attack methods, and others that have not been presented, to show how they are related, how they can be detected, and how they can be countered.
Bullets: Redundant hardware
ready for “hot swapping” keeps information highly available by having multiple copies of information (mirroring) or enough extra information available to reconstruct information in case of partial loss (parity, error correction). Hot swapping allows the administrator to replace the failed component while the system continues to run and information remains available; usually degraded performance results, but unplanned downtime is avoided.
Bullets: Mail bombing
This is an attack used to overwhelm mail servers and clients with unrequested emails. Using e-mail filtering and properly configuring e-mail relay functionality on mail servers can be used to protect against this type of DoS attack.
Emphasis: system cold start
A system cold start takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state. The system, kernel, and user objects may remain in an inconsistent state while the system attempts to recover itself, and intervention may be required by the user or administrator to restore the system.
Bullets: Carries out security assessments
As a service to the business that the security administrator is working to secure, a security assessment leverages the knowledge and experience of the security administrator to identify vulnerabilities in the systems, networks, software, and in-house developed products used by a business. These security assessments enable the business to understand the risks it faces and to make sensible business decisions about products and services it considers purchasing, and risk mitigation strategies it chooses to fund versus risks it chooses to accept, transfer (by buying insurance), or avoid (by not doing something it had earlier considered doing but that isn’t worth the risk or risk mitigation cost).
Emphasis: Supercomputers
Supercomputers might be considered a special class of mainframe. They share many architectural similarities, but where mainframes are designed for very high quantities of general processing, supercomputers are optimized for extremely complex central processing (which also happens to require the vast I/O capability of the mainframe architecture). Where a mainframe’s several processors will balance the load of a very high number of general processes, a supercomputer’s possibly massive number of processes may be custom designed to allow a large number of very highly parallelized copies of a particular application to communicate in real time, or a very small number of extremely complex scientific algorithms to leverage vast amounts of data at once.email Security
Explanations: Grid Computing
I am going to use a bit of the processing power of every computer and take over the world.
Emphasis: Data Leakage
Data LeakageLeaks of personal information can cause large dollar losses. The costs commonly include investigation, contacting affected individuals to inform them, penalties and fines to regulatory agencies and contract liabilities, and mitigating expenses (such as credit reporting) and direct damages to affected individuals. In addition to financial loss, a company’s reputation may be damaged and individual identities can be stolen. The most common cause of data breach for a business is a lack of awareness and discipline among employees. Negligence commonly leads to an overwhelming majority of all leaks.
Emphasis: Change Control Documentation
Change Control DocumentationFailing to document changes to systems and networks is only asking for trouble, because no one will remember, for example, what was done to that one server in the demilitarized zone (DMZ) six months ago or how the main router was fixed when it was acting up last year. Changes to software configurations and network devices take place pretty often in most environments, and keeping all of these details properly organized is impossible, unless someone maintains a log of this type of activity.
Vulnerability Scanning Recap : Vulnerability scanners provide the following capabilities:
- The identification of active hosts on the network
- The identification of active and vulnerable services (ports) on hosts
- The identification of applications and banner grabbing
- The identification of operating systems
- The identification of vulnerabilities associated with discovered operating systems and applications
- The identification of misconfigured settings
- Test for compliance with host applications’ usage/security policies
- The establishment of a foundation for penetration testing
