CHAPTER 11_Security Operations Flashcards

Question

Emphasis: Targeted tests

Answer 1

Targeted tests can involve external consultants and internal staff carrying out focused tests on specific areas of interest. For example, before a new application is rolled out, the team might test it for vulnerabilities before installing it into production. Another example is to focus specifically on systems that carry out e-commerce transactions and not the other daily activities of the company.

Answer 2

Chapter 4 discussed backdoors and some of the potential damage that can be caused by them. It also looked at how backdoors are inserted into the code so a developer can access the software at a later time, bypassing the usual security authentication and authorization steps. Now we will look at how and why attackers install backdoors on victims’ computers.

Answer 3

* Evaluate the true security posture of an environment (don’t cry wolf, as discussed earlier). * Identify as many vulnerabilities as possible, with honest evaluations and prioritizations of each. * Test how systems react to certain circumstances and attacks, to learn not only what the known vulnerabilities are (such as this version of the database, that version of the operating system, or a user ID with no password set), but also how the unique elements of the environment might be abused (SQL injection attacks, buffer overflows, and process design flaws that facilitate social engineering). * Before the scope of the test is decided and agreed upon, the tester must explain the testing ramifications. Vulnerable systems could be knocked offline by some of the tests, and production could be negatively affected by the loads the tests place on the systems.

Answer 4

Clustering is a fault-tolerant server technology that is similar to redundant servers, except each server takes part in processing services that are requested. A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system. Clustering provides for availability and scalability. It groups physically different systems and combines them logically, which provides immunity to faults and improves performance. Clusters work as an intelligent unit to balance traffic, and users who access the cluster do not know they may be accessing different systems at different times. To the users, all servers within the cluster are seen as one unit. Clusters may also be referred to as server farms.

Answer 5

A single point of failure poses a lot of potential risk to a network, because if the device fails, a segment or even the entire network is negatively affected. Devices that could represent single points of failure are firewalls, routers, network access servers, T1 lines, switches, bridges, hubs, and authentication servers—to name a few. The best defenses against being vulnerable to these single points of failure are proper maintenance, regular backups, redundancy, and fault tolerance.

Answer 6

• Do too many users have rights and privileges to sensitive or restricted data or resources? The answer would indicate whether access rights to the data and resources need to be reevaluated, whether the number of individuals accessing them needs to be reduced, and/or whether the extent of their access rights should be modified.

Answer 7

A fake login screen is created and installed on the victim’s system. When the user attempts to log into the system, this fake screen is presented to the user, requesting he enter his credentials. When he does so, the screen captures the credentials and exits, showing the user the actual login screen for his system. Usually the user just thinks he mistyped his password and attempts to authenticate again without knowing anything malicious just took place. A host-based IDS can be used to detect this type of activity.

Answer 8

Poor programming practices, or sometimes bugs in libraries, allow more input than the program has allocated space to store it. This overwrites data or program memory after the end of the allocated buffer, and sometimes allows the attacker to inject program code and then cause the processor to execute it. This gives the attacker the same level of access as that held by the program that was attacked. If the program was run as an administrative user or by the system itself, this can mean complete access to the system.

Answer 9

* Facilities that house systems that process sensitive information should have physical access controls to limit access to authorized personnel only. * Data should be classified, and the necessary technical controls should be put into place to protect its integrity, confidentiality, and availability. * Hacker tools are becoming increasingly more sophisticated while requiring increasingly less knowledge by the attacker about how they work. * Quality assurance involves the verification that supporting documentation requirements are met. * Quality control ensures that an asset is operating within accepted standards. * System and audit logs should be monitored and protected from unauthorized modification. * Repetitive errors can indicate lack of training or issues resulting from a poorly designed system. * Sensitive data should not be printed and left at stand-alone printers or fax devices. * Users should have the necessary security level to access data and resources, but must also have a need to know. * Clipping levels should be implemented to establish a baseline of user activity and acceptable errors. * Separation of responsibilities and duties should be in place so that if fraud takes place, it requires collusion. * Sensitive information should contain the correct markings and labels to indicate the corresponding sensitivity level. * Contract and temporary staff members should have more restrictive controls put upon their accounts. * Access to resources should be limited to authorized personnel, applications, and services and should be audited for compliance to stated policies. * Change control and configuration management should be put in place so changes are approved, documented, tested, and properly implemented. * Activities that involve change management include requesting a change, approving a change, documenting a change, testing a change, implementing a change, and reporting to management. * Systems should not allow their bootup sequences to be altered in a way that could bypass operating system security mechanisms. * Potential employees should have background investigations, references, experience, and education claims checked out. * Proper fault-tolerant mechanisms should be put in place to counter equipment failure. * Antivirus and IDS signatures should be updated on a continual basis. * System, network, policy, and procedure changes should be documented and communicated. * When media is reused, it should contain no residual data. * Media holding sensitive data must be properly purged, which can be accomplished through zeroization, degaussing, or media destruction. * Life-cycle assurance involves protecting a system from inception to development to operation to removal. * The key aspects of operations security include resource protection, change control, hardware and software controls, trusted system recovery, separation of duties, and least privilege. * Least privilege ensures that users, administrators, and others accessing a system have access only to the objects they absolutely require to complete their job. * Vulnerability assessments should be done on a regular basis to identify new vulnerabilities. * The operations department is responsible for any unusual or unexplained occurrences, unscheduled initial program loads, and deviations from standards. * Standards need to be established that indicate the proper startup and shutdown sequence, error handling, and restoration procedures. * A teardrop attack involves sending malformed fragmented packets to a vulnerable system. * Improper mail relay configurations allow for mail servers to be used to forward spam messages. * Phishing involves an attacker sending false messages to a victim in the hopes that the victim will provide personal information that can be used to steal their identity. * A browsing attack occurs when an attacker looks for sensitive information without knowing what format it is in. * A fax encryptor encrypts all fax data leaving a fax server. * A system can fail in one of the following manners: system reboot, emergency system restart, and system cold start. * The main goal of operations security is to protect resources. * Operational threats include disclosure, theft, corruption, interruption, and destruction. * Operations security involves balancing the necessary level of security with ease of use, compliance, and cost constraints.

Answer 10

* Commands and data should not take place in cleartext (that is, they should be encrypted). For example, Secure Shell (SSH) should be used, not Telnet. * Truly critical systems should be administered locally instead of remotely. * Only a small number of administrators should be able to carry out this remote functionality. * Strong authentication should be in place for any administration activities. * Anyone who wears green shoes really should not be able to access these systems. They are weird.

Answer 11

Mean Time Between FailuresMean time between failures (MTBF) is the estimated lifespan of a piece of equipment. MTBF is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. Either based on historical data or scientifically estimated by vendors, it is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until its final death.

Answer 12

Mean time between failures (MTBF) is the estimated lifespan of a piece of equipment. MTBF is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. Either based on historical data or scientifically estimated by vendors, it is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until its final death.

Answer 13

Security and Network PersonnelThe security administrator should not report to the network administrator, because their responsibilities have different focuses. The network administrator is under pressure to ensure high availability and performance of the network and resources and to provide the users with the functionality they request. But many times this focus on performance and user functionality is at the cost of security. Security mechanisms commonly decrease performance in either processing or network transmission because there is more involved: content filtering, virus scanning, intrusion detection prevention, anomaly detection, and so on. Since these are not the areas of focus and responsibility of many network administrators, a conflict of interest could arise. The security administrator should be within a different chain of command from that of the network personnel to ensure that security is not ignored or assigned a lower priority.

Answer 14

Network and Resource AvailabilityIn the triangle of security services, availability is one of the foundational components, the other two being confidentiality and integrity. Network and resource availability often is not fully appreciated until it is gone. That is why administrators and engineers need to implement effective backup and redundant systems to make sure that when something happens (and something will happen), users’ productivity will not be drastically affected.

Answer 15

Companies should have an acceptable use policy, which indicates what software users can install and informs users that the environment will be surveyed from time to time to verify compliance. Technical controls should be emplaced to prevent unauthorized users from being able to install unauthorized software in the environment.

Answer 16

. To reduce the possibility of an unauthorized configuration change taking effect, and to reduce the possibility of denial of service through an inappropriate shutdown, only administrators should have the ability to instruct critical systems to shut down.

Answer 17

This attack sends malformed fragmented packets to a victim. The victim’s system usually cannot reassemble the packets correctly and freezes as a result. Countermeasures to this attack are to patch the system and use ingress filtering to detect these packet types.

Answer 18

Several types of attacks have been explained in the chapters throughout this book. This section brings together these attack methods, and others that have not been presented, to show how they are related, how they can be detected, and how they can be countered.

Answer 19

ready for “hot swapping” keeps information highly available by having multiple copies of information (mirroring) or enough extra information available to reconstruct information in case of partial loss (parity, error correction). Hot swapping allows the administrator to replace the failed component while the system continues to run and information remains available; usually degraded performance results, but unplanned downtime is avoided.

Answer 20

This is an attack used to overwhelm mail servers and clients with unrequested emails. Using e-mail filtering and properly configuring e-mail relay functionality on mail servers can be used to protect against this type of DoS attack.

Answer 21

A system cold start takes place when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system to a more consistent state. The system, kernel, and user objects may remain in an inconsistent state while the system attempts to recover itself, and intervention may be required by the user or administrator to restore the system.

Answer 22

As a service to the business that the security administrator is working to secure, a security assessment leverages the knowledge and experience of the security administrator to identify vulnerabilities in the systems, networks, software, and in-house developed products used by a business. These security assessments enable the business to understand the risks it faces and to make sensible business decisions about products and services it considers purchasing, and risk mitigation strategies it chooses to fund versus risks it chooses to accept, transfer (by buying insurance), or avoid (by not doing something it had earlier considered doing but that isn’t worth the risk or risk mitigation cost).

Answer 23

Supercomputers might be considered a special class of mainframe. They share many architectural similarities, but where mainframes are designed for very high quantities of general processing, supercomputers are optimized for extremely complex central processing (which also happens to require the vast I/O capability of the mainframe architecture). Where a mainframe’s several processors will balance the load of a very high number of general processes, a supercomputer’s possibly massive number of processes may be custom designed to allow a large number of very highly parallelized copies of a particular application to communicate in real time, or a very small number of extremely complex scientific algorithms to leverage vast amounts of data at once.email Security

Answer 24

I am going to use a bit of the processing power of every computer and take over the world.

Answer 25

Data LeakageLeaks of personal information can cause large dollar losses. The costs commonly include investigation, contacting affected individuals to inform them, penalties and fines to regulatory agencies and contract liabilities, and mitigating expenses (such as credit reporting) and direct damages to affected individuals. In addition to financial loss, a company’s reputation may be damaged and individual identities can be stolen. The most common cause of data breach for a business is a lack of awareness and discipline among employees. Negligence commonly leads to an overwhelming majority of all leaks.

Answer 26

Change Control DocumentationFailing to document changes to systems and networks is only asking for trouble, because no one will remember, for example, what was done to that one server in the demilitarized zone (DMZ) six months ago or how the main router was fixed when it was acting up last year. Changes to software configurations and network devices take place pretty often in most environments, and keeping all of these details properly organized is impossible, unless someone maintains a log of this type of activity.

Answer 27

* The identification of active hosts on the network * The identification of active and vulnerable services (ports) on hosts * The identification of applications and banner grabbing * The identification of operating systems * The identification of vulnerabilities associated with discovered operating systems and applications * The identification of misconfigured settings * Test for compliance with host applications’ usage/security policies * The establishment of a foundation for penetration testing

Answer 28

Data remanence is the residual physical representation of information that was saved and then erased in some fashion. This remanence may be enough to enable the data to be reconstructed and restored to a readable form. This can pose a security threat to a company that thinks it has properly erased confidential data from its media. If the media is reassigned (object reuse), then an unauthorized individual could gain access to your sensitive data.

Answer 29

Mandatory vacations are another type of administrative control, though the name may sound a bit odd at first. Chapter 2 touched on reasons to make sure employees take their vacations. Reasons include being able to identify fraudulent activities and enabling job rotation to take place. If an accounting employee has been performing a salami attack by shaving off pennies from multiple accounts and putting the money into his own account, a company would have a better chance of figuring this out if that employee is required to take a vacation for a week or longer. When the employee is on vacation, another employee has to fill in. She might uncover questionable documents and clues of previous activities, or the company may see a change in certain patterns once the employee who is committing fraud is gone for a week or two.

Answer 30

If you see the term operators on the exam, it is dealing specifically with mainframe operators even if the term mainframe is not used in the question.

Answer 31

RAIT (redundant array of independent tapes) is similar to RAID, but uses tape drives instead of disk drives. Tape storage is the lowest-cost option for very large amounts of data, but is very slow compared to disk storage. For very large write-mostly storage applications where MAID is not economical and where a higher performance than typical tape storage is desired, or where tape storage provides appropriate performance and higher reliability is required, RAIT may fit.

Answer 32

The team has intimate knowledge of the target.

Answer 33

(audit logging) who has custody of each piece of media at any given moment. This creates the same kind of audit trail as any audit logging activity—to allow an investigation to determine where information was at any given time, who had it, and, for particularly sensitive information, why they accessed it. This enables an investigator to focus efforts on particular people, places, and time if a breach is suspected or known to have happened.

Answer 34

• Physical testing includes reviewing facility and perimeter protection mechanisms. For instance, do the doors actually close automatically, and does an alarm sound if a door is held open too long? Are the interior protection mechanisms of server rooms, wiring closets, sensitive systems, and assets appropriate? (For example, is the badge reader working, and does it really limit access to only authorized personnel?) Is dumpster diving a threat? (In other words, is sensitive information being discarded without proper destruction?) And what of protection mechanisms for manmade, natural, or technical threats? Is there a fire suppression system? Does it work, and is it safe for the people and the equipment in the building? Are sensitive electronics kept above raised floors so they survive a minor flood? And so on.

Answer 35

As noted earlier, vulnerability scans find the potential vulnerabilities. Actual penetration testing is required to identify those vulnerabilities that can actually be exploited in the environment and cause damage.

Answer 36

When a system goes down, and they will, it is important that the operations personnel know how to troubleshoot and fix the problem. The following are the proper steps that should be taken:

Answer 37

Storage Area NetworksDrawing from the local area network (LAN), wide area network (WAN), and metropolitan area network (MAN) nomenclature, a storage area network (SAN) consists of large amounts of storage devices linked together by a high-speed private network and storage-specific switches. This creates a “fabric” that allows users to attach to and interact in a transparent mode. When a user makes a request for a file, he does not need to know which server or tape drive to go to—the SAN software finds it and magically provides it to the user.

Answer 38

Assurance LevelsWhen products are evaluated for the level of trust and assurance they provide, many times operational assurance and life-cycle assurance are part of the evaluation process. Operational assurance concentrates on the product’s architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product. Examples of operational assurances examined in the evaluation process are access control mechanisms, the separation of privileged and user program code, auditing and monitoring capabilities, covert channel analysis, and trusted recovery when the product experiences unexpected circumstances.

Answer 39

I think our tasks should be separated because I don’t trust you.Response: Fine by me.

Answer 40

Redundant array of independent disks (RAID) is a technology used for redundancy and/or performance improvement. It combines several physical disks and aggregates them into logical arrays. When data are saved, the information is written across all drives. A RAID appears as a single drive to applications and other devices.

Answer 41

Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner, senior management. Penetration testing uses a set of procedures and tools designed to test and possibly bypass the security controls of a system. Its goal is to measure an organization’s level of resistance to an attack and to uncover any weaknesses within the environment. Organizations need to determine the effectiveness of their security measures and not just trust the promises of the security vendors. Good computer security is based on reality, not on some lofty goals of how things are supposed to work.

Answer 42

These are problems that occur below the level of the user interface, deep inside the operating system. Any flaw in the kernel that can be reached by an attacker, if exploitable, gives the attacker the most powerful level of control over the system.

Answer 43

. For example, when a particular version of a software application kept in the library has been deemed obsolete, this fact must be recorded so the obsolete version of the application is not used unless that particular obsolete version is required. Even once no possible need for the actual media or its content remains, retaining a log of the former existence and the time and method of its deletion may be useful to demonstrate due diligence.

Answer 44

Your covert strategic plans on how we are going to attack our enemy are sitting in a fax bin in the front office.

Answer 45

When an operating system moves into any type of unstable state, there are always concerns that the system is vulnerable in some fashion. The system needs to be able to protect itself and the sensitive data that it maintains. The following lists just a few of the security issues that should be addressed properly in a trusted recovery process.

Answer 46

I have a maid that collects my data and vacuums.Response: Sure you do.

Answer 47

What is that massive gray thing in the corner?Response: No one really knows.

Answer 48

to detect if any media has been lost/changed. This can reduce the amount of damage a violation of the other media protection responsibilities could cause by detecting such violations sooner rather than later, and is a necessary part of the media management life cycle by which the controls in place are verified as being sufficient.

Answer 49

What if my application or system blows up?Response: It should do so securely.

Answer 50

What does our contingency plan state?Response: It says to blame everything on Bob.

Answer 51

Despite some security vendors’ claims that their products will provide effective security with “set it and forget it” deployments, security products require monitoring and maintenance in order to provide their full value. Version updates and upgrades may be required when new capabilities become available to combat new threats, and when vulnerabilities are discovered in the security products themselves.

Answer 52

Companies have the ethical obligation to use only legitimately purchased software applications. Software makers and their industry representation groups such as the Business Software Alliance (BSA) use aggressive tactics to target companies that use pirated (illegal) copies of software.

Answer 53

Testing OneselfSome of the same tactics an attacker may use when wardialing may be useful to the system administrator, such as wardialing at night to reduce disruption to the business. Be aware, when performing wardialing proactively, that dialing at night may also miss some unauthorized modems that are attached to systems that are turned off by their users at the end of the day. Wardialers can be configured to avoid certain numbers or blocks of numbers, so the system administrator can avoid dialing numbers known to be voice-only, such as help desks. This can also be done on more advanced PBXs, with any number assigned to a digital voice device that is configured to not support a modem.

Answer 54

• System and network testing are perhaps what most people think of when discussing information security vulnerability testing. For efficiency, an automated scanning product identifies known system vulnerabilities, and some may (if management has signed off on the performance impact and the risk of disruption) attempt to exploit vulnerabilities.

Answer 55

* Marking * Logging * Integrity verification * Physical access protection * Environmental protection * Transmittal * Disposition

Answer 56

What’s the Real Deal?MTBF can be misleading. Putting aside questions of whether manufacturer-predicted MTBFs are believable, consider a desktop PC with a single hard drive installed, where the hard drive has an MTBF estimate by the manufacturer of 30,000 hours. Thus, 30,000 hours/8,760 hours/year = a little over three years MTBF. This suggests that this model of hard drive, on average, will last over three years before it fails. Put aside the notions of whether the office environment in which that PC is located is temperature-, humidity-, shock-, and coffee spill-controlled, and install a second identical hard drive in that PC. The possibility of failure has now doubled, giving two chances in that three-year period of suffering a failure of a hard drive in the PC. Extrapolate this to a data center with thousands of these hard drives in it, and it becomes clear that a hard drive replacement budget is required each year, along with redundancy for important data.

Answer 57

An attacker sends multiple service requests to the victim’s computer until they eventually overwhelm the system, causing it to freeze, reboot, and ultimately not be able to carry out regular tasks.

Answer 58

System ControlsSystem controls are also part of operations security. Within the operating system itself, certain controls must be in place to ensure that instructions are being executed in the correct security context. The system has mechanisms that restrict the execution of certain types of instructions so they can take place only when the operating system is in a privileged or supervisor state. This protects the overall security and state of the system and helps ensure it runs in a stable and predictable manner.

Answer 59

This is a type of DoS attack in which oversized ICMP packets are sent to the victim. Systems that are vulnerable to this type of attack do not know how to handle ICMP packets over a specific size and may freeze or reboot. Countermeasures are to patch the systems and implement ingress filtering to detect these types of packets.

Answer 60

Mainframe operators have a long list of responsibilities: reassigning ports, mounting input and output volumes, overseeing and controlling the flow of the submitted jobs, renaming (or relabeling) resources, taking care of any IPLs, and buying donuts for the morning meetings.

Answer 61

. Disposition includes the lifetime after which the information is no longer valuable and the minimum necessary measures for the disposal of the media/information. Secure disposal of media/information can add significant cost to media management. Knowing that only a certain percentage of the information must be securely erased at the end of its life may significantly reduce the long-term operating costs of the company. Similarly, knowing that certain information must be disposed of securely can reduce the possibility of a piece of media being simply thrown in a dumpster and then found by someone who publicly embarrasses or blackmails the company over the data security breach represented by that inappropriate disposal of the information. It is the business that creates the information stored on media, not the person, library, or librarian who has custody of the media, that is responsible for setting the lifetime and disposition of that information. The business must take into account the useful lifetime of the information to the business, legal and regulatory restrictions, and, conversely, the requirements for retention and archiving when making these decisions. If a law or regulation requires the information to be kept beyond its normally useful lifetime for the business, then disposition may involve archiving—moving the information from the ready (and possibly more expensive) accessibility of a library to a long-term stable and (with some effort) retrievable format that has lower storage costs.

Answer 62

Deviations from StandardsIn this instance, “standards” pertains to computing service levels and how they are measured. Each device can have certain standards applied to it: the hours of time to be online, the number of requests that can be processed within a defined period of time, bandwidth usage, performance counters, and more. These standards provide a baseline that is used to determine whether there is a problem with the device. For example, if a device usually accepts approximately 300 requests per minute, but suddenly it is only able to accept 3 per minute, the operations team would need to investigate the deviation from the standard that is usually provided by this device. The device may be failing or under a denial-of-service (DoS) attack, or be subject to legitimate business-use cases that had not been foreseen when the device was first implemented.

Answer 63

This is a brute force attack in which an attacker has a program that systematically dials a large bank of phone numbers with the goal of finding ones that belong to modems instead of telephones. These modems can provide easy access into an environment. The countermeasures are to not publicize these telephone numbers and to implement tight access control for modems and modem pools.

Answer 64

are also required to maintain availability. The most reliable hardware with the highest redundancy or fault tolerance, designed for the fastest mean time to repair, will mostly be a waste of money if operational procedures, training, and continuous improvement are not part of the operational environment: one slip of the finger by an IT administrator can halt the most reliable system.

Answer 65

. To ensure that systems recover to a secure state, the design of the system must prevent an attacker from changing the bootup sequence of the system. For example, on a Windows workstation or server, only authorized users should have access to BIOS settings to allow the user to change the order in which bootable devices are checked by the hardware. If the approved boot order is C: (the main hard drive) only, with no other hard drives and no removable devices (for example CD/DVD, or USB) allowed, then the hardware settings must prohibit the user (and the attacker) from changing those device selections and the order in which they are used. If the user or attacker can change the bootable devices selections or order, and can cause the system to reboot (which is always possible with physical access to a system), they can boot their own media and attack the software and/or data on the system.

Answer 66

by verifying on a media-type and environment-appropriate basis that each piece of media remains usable, and transferring still-valuable information from pieces of media reaching their obsolescence date to new pieces of media. Every type of media has an expected lifespan under certain conditions, after which it can no longer be expected that the media will reliably retain information. For example, a commercially produced CD or DVD stored in good environmental conditions should be reliable for at least ten years, whereas an inexpensive CD-R or DVD-R sitting on a shelf in a home office may become unreliable after just one year. All types of media in use at a company should have a documented (and conservative) expected lifespan. When the information on a piece of media has more remaining lifespan before its scheduled obsolescence/destruction date than does the piece of media on which the information is recorded, then the information must be transcribed to a newer piece or a newer format of media. Even the availability of hardware to read media in particular formats must be taken into account. A media format that is physically stable for decades, but for which no working device remains available to read, is of no value. Additionally, as part of maintaining the integrity of the specific contents of a piece of media, if the information on that media is highly valuable or mandated to be kept by some regulation or law, a cryptographic signature of the contents of the media may be maintained, and the contents of the piece of media verified against that signature on a regular basis.

Answer 67

* Online transactions must be recorded and timestamped. * Data entered into a system should be in the correct format and validated to ensure such data are not malicious. * Ensure output reaches the proper destinations securely: * A signed receipt should always be required before releasing sensitive output. * A heading and trailing banner should indicate who the intended receiver is. * Once output is created, it must have the proper access controls implemented, no matter what its format (paper, digital, tape). * If a report has no information (nothing to report), it should contain “no output.”

Answer 68

* The identification of active hosts on the network * The identification of active and vulnerable services (ports) on hosts * The identification of applications and banner grabbing * The identification of operating systems * The identification of vulnerabilities associated with discovered operating systems and applications * The identification of misconfigured settings * Test for compliance with host applications’ usage/security policies * The establishment of a foundation for penetration testing

Answer 69

Initial program load (IPL) is a mainframe term for loading the operating system’s kernel into the computer’s main memory. On a personal computer, booting into the operating system is the equivalent to IPLing. This activity takes place to prepare the computer for user operation.

Answer 70

I threw the server down a flight of steps. I think it is pretty hardened.Response: Well, that should be good enough then.

Answer 71

The team has some information about the target.

Answer 72

Excuse me. Could you please attack me?Response: I would love to!

Answer 73

New accounts must be protected from attackers who might know patterns used for passwords, or might find accounts that have been newly created without any passwords, and take over those accounts before the authorized user accesses the account and changes the password. The security administrator operates automated new password generators or manually sets new passwords, and then distributes them to the authorized user so attackers cannot guess the initial or default passwords on new accounts, and so new accounts are never left unprotected.

Answer 74

Atoms and DataA device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original flux (magnetic alignment).

Answer 75

An emergency system restart takes place after a system failure happens in an uncontrolled manner. This could be a kernel or media failure caused by lower-privileged user processes attempting to access memory segments that are restricted. The system sees this as an insecure activity that it cannot properly recover from without rebooting. The kernel and user objects could be in an inconsistent state, and data could be lost or corrupted. The system thus goes into a maintenance mode and recovers from the actions taken. Then it is brought back up in a consistent and stable state.

Answer 76

While some of the strongest security protections come from preventive controls (such as firewalls that block unauthorized network activity), detective controls such as reviewing audit logs are also required. The firewall blocked 60,000 unauthorized access attempts yesterday. The only way to know if that’s a good thing or an indication of a bad thing is for the security administrator (or automated technology under his control) to review those firewall logs to look for patterns. If those 60,000 blocked attempts were the usual low-level random noise of the Internet, then things are (probably) normal; but if those attempts were advanced and came from a concentrated selection of addresses on the Internet, a more deliberate (and more possibly successful) attack may be underway. The security administrator’s review of audit logs detects bad things as they occur and, hopefully, before they cause real damage.

Answer 77

* Disk shadowing (mirroring) * Redundant servers * RAID, MAID, RAIT * Clustering * Backups * Dual backbones * Direct Access Storage Device * Redundant power * Mesh network topology instead of star, bus, or ring

Answer 78

Asset Identification and ManagementAsset management is easily understood as “knowing what the company owns.” In a retail store, this may be called inventory management, and is part of routine operations to ensure that sales records and accounting systems are accurate and that theft is discovered. While these same principles may apply to an IT environment, there’s much more to it than just the physical and financial aspect.

Answer 79

Asset management is easily understood as “knowing what the company owns.” In a retail store, this may be called inventory management, and is part of routine operations to ensure that sales records and accounting systems are accurate and that theft is discovered. While these same principles may apply to an IT environment, there’s much more to it than just the physical and financial aspect.

Answer 80

The security administrator puts into practice the security policies of least privilege and oversees accounts that exist, along with the permissions and rights they are assigned.

Answer 81

Browsing is a general technique used by intruders to obtain information they are not authorized to access. This type of attack takes place when an attacker is looking for sensitive data but does not know the format of the data (word processing document, spreadsheet, database, piece of paper). Browsing can be accomplished by looking through another person’s files kept on a server or workstation, rummaging through garbage looking for information that was carelessly thrown away, or reviewing information that has been saved on USB Flash drives. A more advanced and sophisticated example of browsing is when an intruder accesses residual information on storage media. The original user may have deleted the files from a USB Flash drive, but, as stated earlier, this only removes the pointers to the files within the file system on that disk. The talented intruder can access these data (residual information) and access information he is unauthorized to obtain.

Answer 82

Change Control ProcessA well-structured change management process should be put into place to aid staff members through many different types of changes to the environment. This process should be laid out in the change control policy. Although the types of changes vary, a standard list of procedures can help keep the process under control and ensure it is carried out in a predictable manner. The following steps are examples of the types of procedures that should be part of any change control policy:

Answer 83

Vulnerability TestingVulnerability testing, whether manual, automated, or—preferably—a combination of both, requires staff and/or consultants with a deep security background and the highest level of trustworthiness. Even the best automated vulnerability scanning tool will produce output that can be misinterpreted as crying wolf (false positive) when there is only a small puppy in the room, or alert you to something that is indeed a vulnerability but that either does not matter to your environment or is adequately compensated elsewhere. There may also be two individual vulnerabilities that exist, which by themselves are not very important but when put together are critical. And of course, false negatives will also crop up, such as an obscure element of a single vulnerability that matters greatly to your environment but that is not called out by the tool.

Answer 84

* Wiring closets should be locked. * Network switches and hubs, when it is not practical to place them in locked wiring closets, should be inside locked cabinets. * Network ports in public places (for example, kiosk computers and even telephones) should be made physically inaccessible.

Answer 85

Direct Access Storage Device (DASD) is a general term for magnetic disk storage devices, which historically have been used in mainframe and minicomputer (mid-range computer) environments. RAID is a type of DASD. The key distinction between Direct Access and Sequential Access storage devices is that any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a Sequential Access Storage Device must be traversed in order to reach the desired position. Tape drives are Sequential Access Storage Devices. Some tape drives have minimal amounts of Direct Access intelligence built in. These include multitrack tape devices that store at specific points on the tape and cache in the tape drive information about where major sections of data on the tape begin, allowing the tape drive to more quickly reach a track and a point on the track from which to begin the now much shorter traversal of data from that indexed point to the desired point. While this makes such tape drives noticeably faster than their purely sequential peers, the difference in performance between Sequential and Direct Access Storage Devices is orders of magnitude.

Answer 86

This is a method of uncovering information by watching traffic patterns on a network. For example, heavy traffic between the HR department and headquarters could indicate an upcoming layoff. Traffic padding can be used to counter this kind of attack, in which decoy traffic is sent out over the network to disguise patterns and make it more difficult to uncover them.

Answer 87

Some companies use fax servers, which are systems that manage incoming and outgoing faxed documents. When a fax is received by the fax server, the fax server properly routes it to the individual it is addressed to so it is kept in electronic form rather than being printed. Typically, the received fax is routed to the recipient’s electronic mailbox.

Answer 88

Race conditions exist when the design of a program puts it in a vulnerable condition before ensuring that those vulnerable conditions are mitigated. Examples include opening temporary files without first ensuring the files cannot be read, or written to, by unauthorized users or processes, and running in privileged mode or instantiating dynamic load library functions without first verifying that the dynamic load library path is secure. Either of these may allow an attacker to cause the program (with its elevated privileges) to read or write unexpected data or to perform unauthorized commands.

Answer 89

The team does not have any knowledge of the target and must start from ground zero.

Answer 90

Though the attacker may be properly blocked from seeing or changing the content of sensitive system files and data, if a program follows a symbolic link (a stub file that redirects the access to another place) and the attacker can compromise the symbolic link, then the attacker may be able to gain unauthorized access. (Symbolic links are used in Unix and Linux type systems.) This may allow the attacker to damage important data and/or gain privileged access to the system. A historical example of this was to use a symbolic link to cause a program to delete a password database, or replace a line in the password database with characters that, in essence, created an unpassworded root-equivalent account.

Answer 91

File descriptors are numbers many operating systems use to represent open files in a process. Certain file descriptor numbers are universal, meaning the same thing to all programs. If a program makes unsafe use of a file descriptor, an attacker may be able to cause unexpected input to be provided to the program, or cause output to go to an unexpected place with the privileges of the executing program.

Answer 92

Initial program load (IPL) is a mainframe term for loading the operating system’s kernel into the computer’s main memory. On a personal computer, booting into the operating system is the equivalent to IPLing. This activity takes place to prepare the computer for user operation.

Answer 93

keep information available against not only individual storage device faults but even against whole system failures. Fault tolerance is among the most expensive possible solutions, and is justified only for the most mission-critical information. All technology will eventually experience a failure of some form. A company that would suffer irreparable harm from any unplanned downtime, or that would accumulate millions of dollars in losses for even a very brief unplanned downtime, can justify paying the high cost for fault-tolerant systems.

Answer 94

help service providers, whether they are an internal IT operation or an outsourcer, decide what type of availability technology is appropriate. From this determination, the price of a service or the budget of the IT operation can be set. The process of developing an SLA with a business is also beneficial to the business. While some businesses have performed this type of introspection on their own, many have not, and being forced to go through the exercise as part of budgeting for their internal IT operations or external sourcing helps the business understand the real value of its information.

Answer 95

The operations department is also responsible for a majority of the items covered in Chapter 5. This includes server room temperature and humidity; fire protection; heating, ventilation, and air conditioning (HVAC); water protection; power sources; positive air pressure to protect against contaminants; and a closed-loop, recirculating air-conditioning system.

Answer 96

Slamming is when a user’s service provider has been changed without that user’s consent. Cramming is adding on charges that are bogus in nature that the user did not request. Properly monitoring charges on bills is really the only countermeasure to these types of attacks.

Answer 97

Media ControlsMedia and devices that can be found in an operations environment require a variety of controls to ensure they are properly preserved and that the integrity, confidentiality, and availability of the data held on them are not compromised. For the purposes of this discussion, “media” may include both electronic (disk, CD/DVD, tape, Flash devices such as USB “thumb drives,” and so on) and nonelectronic (paper) forms of information; and media libraries may come into custody of media before, during, and/or after the information content of the media is entered into, processed on, and/or removed from systems.

Answer 98

A backdoor is a program that is installed by an attacker to enable her to come back into the computer at a later date without having to supply login credentials or go through any type of authorization process. Access control is thwarted by the attacker because she can later gain access to the compromised computer. The backdoor program actually listens on specific ports for the attacker, and once the attacker accesses those ports, the backdoor program lets her come right in.

Answer 99

A vulnerability assessment identifies a wide range of vulnerabilities in the environment. This is commonly carried out through a scanning tool. By contrast, in a penetration test, the security professional exploits one or more vulnerabilities to prove to the customer (or your boss) that a hacker can actually gain access to company resources.

Answer 100

How is a rat going to help us store our data?Response: Who hired you and why?

Answer 101

I have my can that is connected to another can with a string. Can you put the other can up to my computer monitor? I have work to do.

Answer 102

To gain the benefits of remote access without taking on unacceptable risks, remote administration needs to take place securely. The following are just a few of the guidelines to use:

Answer 103

I am a very prudent man.Response: That is debatable.

Answer 104

. Through separation of duties and access controls, system logs and system state files must be preserved against attempts by users/attackers to hide their actions or change the state to which the system will next restart. If any system configuration file can be changed by an unauthorized user, and then the user can find a way to cause the system to restart, the new—possibly insecure—configuration will take effect.

Answer 105

Job rotation means that, over time, more than one person fulfills the tasks of one position within the company. This enables the company to have more than one person who understands the tasks and responsibilities of a specific job title, which provides backup and redundancy if a person leaves the company or is absent. Job rotation also helps identify fraudulent activities, and therefore can be considered a detective type of control. If Keith has performed David’s position, Keith knows the regular tasks and routines that must be completed to fulfill the responsibilities of that job. Thus, Keith is better able to identify whether David does something out of the ordinary and suspicious.