Chapter 14: Incident Management Flashcards
What is an incident?
Any event that has a negative effoct on the confidentiality, availability, or integrity or an organization’s assets.
What is a computer security incident?
An incident that is the result of an attack or the malicous or intentional actions of users.
How does NIST SP 800-61 define a computer security incident?
A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
What are the steps of incident response?
Detection Response Reporting Recovery Remediation and Review
List the ways in which an incident might be detected.
IDS/IPS systems send an alert
AV software displays a popup window
Automated tools scanning audit logs to send an alert when an event occurs
End users report problems such as inability to access a network resource.
What should the first step after indicent detection be?
Contain the incident, for example, unplug the NIC but don’t turn the system off.
What is a CIRT or CSIRT?
A designated incident reponse team. Computer Incident Response Team. S == Security.
What improves your chances of limiting incident damage?
Faster response time.
What should you do after containing a security incident?
Investigate.
What are requirements for incident reporting?
There can be many. Many jurisdictions have reporting requirements if PII is compromised.
Why are many incidents not properly reported?
Training. People aren’t trained properly to recognize them as incidents.
Why is finger pointing bad?
It takes focus away from fixing the problem.
What should the end result of remediation and review?
Often, a report by the C(S)IRT that may recommend changing procedures, adding security controls, or changing policies.
List the basic preventative measures to prevent attacks.
Keep systems and applications up to date
Remove or disable unneeded services and protocols
Use up-to-date antivirus software
Use firewalls
USe intrusion detection and prention systems.
What is malicous code?
Any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.
What is a drive-by-download?
Code downloaded and installed on a user’s sytem without the user’s knowledge. Occurs when the user visits an intended web page.
What is a zero-day exploit?
An atatck on a system exploiting a vulnerability that is unknown to others.
What is a denial of service attack?
Atacks that prevent a system from processing or responding to legitimate traffic or requests for resources and objects.
What is a SYN flood attack?
A common DoS attack that abuses the three way TCP handshake. Multiple SYNs are sent, but never acknowledged leaving half-open connections.
List tools that can perform a SYN flood
Trinoo, TFN, LOIC
What is a smurf attack?
A flood attack that floods the victim w2ith ICMP echo packets. It’s a spoofed broadcast ping that results in responses being sent to the target.
What is Ping of Death?
An oversized ping packet > 64 KB. Vulnerable systems crash when they receive the packet.
What is war dialing?
Using a modem to search for a system taht accepts inbound connection attempts.
What is an intrusion?
An attacker successfully bypassing or thwarting security mechanisms and gaining access to an orgamization’s assets.
What is intrusion detection?
A specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.
What is an IDS?
An intrusion detection system. Automates log monitoring and real-time event monitoring.
What is knowledge based detection?
Signature or patten matching detection. Most common method
What is behavior based detection?
Statistical or anomaly based detection. Creates a baseline of normal activities and watches for anomalies.
What is the primary drawback of behavior based IDS?
Often raises a high number of false positives.
What are the two types of IDS response?
Active and passive
What is active IDS response?
Modifying the environment, for example modifying ACLs to block traffic, disabling communication on a segment, etc.
What is passive IDS response?
Sending notifications to administrators (email, pager, popup).
What is a host based IDS?
An IDS that monitors a single host, including processes cals, information recorded in logs. Often more detailed than NIDS.
What is a network based IDS?
One that monitors a network by monitoring network patterns.
What is the benefit of a host based intrustion detection system over network?
It can often detect anomalies that wouldn’t be visible on the network.
What is the difference between an IDS and IPS?
An IPS is inline with the network traffic, where an IDS is not.
What is a pseudo-flaw?
A false vulnerability or apparent loophole implated intentionally to tempt hackers.
What is a padded cell?
Similar to a honeypot, it isolates intruders in an environment that looks like the actual target.
What is a darknet?
A portion of an allocated IP range that isn’t used. Includes one device to capture all traffic into the darknet. Any traffic on the darknet is by definition malicious or suspect.
What are the goals of penetration testing?
Determine how well a system can tolerate attack
Identify employees’ ability to detect and respond to attacks in real time
Identify additional controls that can be implemtented to reduce risk.
What are the different types of penetration testing?
black box testing by a zero knowlege team
White box testing by a full knowledge team
Gray box testing by a partial knowledge team
Why should the regular security staff not be used for penetration testing?
They often have blind spots or gaps in their understanding, estimation or capabilities with certain security subjects. If they knew about a vulnerability, they’d have fixed it already.
What problems should pen test teams fix?
None. Ever.
