Chapter 17- Preventing and Responding to Incidents Flashcards

1
Q
  1. What is the primary goal of incident response
A

? to minimise the impact on organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. What is an incident?
A

An Incident is an unplanned interruption to an IT service or a reduction in the quality of an IT service.
• An Incident is any event that has a negative effect on the confidentiality, Integrity or availability of an organisation’s asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. What is Security Incident?
A

A security incident is an event that may indicate that an organization’s systems or data have been compromised or that measures put in place to protect them have been bypassed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. List the methods of detecting incidents:
A

Intrusion detection and prevention systems
• Anti-malware software
• Automated tools scanning audit logs
• End user detect unusual activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. What are designated incident response teams called:
A

Computer Incident Response Team (CIRT) or Computer Security Incident Response Team (CSIRT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Describe Mitigation steps for incidence response:
A

Mitigation steps attempt to contain an incident. In some cases, responders take steps to mitigate the incident, but without letting the attacker know that the attack has been detected. This allows security personnel to monitor the attacker’s activities and determine the scope of the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Describe Incident Reporting:
A

Incident Reporting refers to reporting an incident within the organisation and organisations and individuals outside the organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. What is Recovery in Incidence Response steps?
A

After investigators collect all appropriate evidence from a system, the next step is to recover the system, or return it to a fully functioning state. The most secure method of restoring a system after an incident is to completely rebuild the system from scratch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. What is Remediation in Incident Response?
A

In the remediation stage, personnel look at the incident and attempt to identify what allowed it to happen and implement methods to prevent it from happening again e.g., root cause analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. What is root cause analysis?
A

Root Cause Analysis is used in incident response and it examines the incident to determine what allowed it to happen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. What are lessons learned?
A

personnel examine the incident response and look for areas where response can be improved. Based on the findings, the team may recommend changes to procedures, the addition of security controls, or even changes to policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. List some preventive measures:
A

keep systems and applications up to date
• remove or disable unneeded services and protocols
• keep systems and applications up to date
• use intrusion detection and prevention systems
• use up to date anti-malware software
• Use firewalls
• Implement Configuration and system management processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Computers in a botnet are referred to as:
A

bots or zombies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What is Bot Herder?
A

Bot Herder is typically a criminal who controls all the computers in the botnet via one or more command-and-control servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. What are zombies?
A

Zombie is a malicious program that is installed on a device that transforms it into a zombie that attacks systems. Zombies can be programmed to contact the server periodically or remain dormant until a specific programmed date and time, or in response to an event, such as when a specific traffic is detected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. List methods of protecting the system from botnets:
A
use defence-in-depth strategy, implementing multiple layers of security.
•	up to date malware protection
•	up to date patches.
•	keep browsers and plugins up to date
•	use sandboxing on browsers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. What is a Distributed Reflective Denial-of-Service (DRDoS)?
A

)? Distibuted Reflective Denial of Service manipulates traffic or network service so that the attacks are reflected back to the victim from other sources e.g. Domain Name Systems (DNS) poisoning attacks and smurf attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. What is SYN Flood Attack?
A

SYN Flood attack occurs when attackers send multiple SYN packets but never complete the connection with ACK.
• the attack can consume available memory and processing power, resulting in the victim slowing to a crawl or actually crashing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. List ways of stopping SYN Flood attacks:
A

Using SYN cookies, firewalls, IDS and IPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. What are smurf and fraggle attacks?
A

they are DoS attacks.
• It is a spoofed broadcast ping request using the IP address of the victim as the source IP address.
• Smurf attack is another type of flood attack but it floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. What are fraggle attacks?
A

The fraggle attack will broadcast a UDP packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim, just as with a smurf attack.
• Fraggle attacks are similar to smurf attacks but instead of using ICMP, fraggle attacks use UDP ports 7 and 19

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. What is Ping of Death (PoD) attack?
A

Ping of Death (PoD) attack is a Denial of Service attack (DoS) attack in which the attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. What is teardrop attack?
A

An attacker fragments traffic in such a way that a system is unable to put data packets back together

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. What is a land attack?
A

Land Attack occurs when an attacker sends spoofed SYN packets to a victim’s address both as the source and destination IP Address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  1. How can you protect against Land Attacks
A

patching and filtering traffic to detect traffic with identical source and destination addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
  1. What is zero-day attack?
A

Zero-day attacks refers to an attack on a system exploiting a vulnerability that is unknown to others.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
  1. List 3 instances of zero-day attacks:
A

Attacker first discovers a vulnerability.
• Vendor learns of a vulnerability.
• Vendor releases a patch: However, organizations often take time to evaluate and test a patch before applying it, resulting in a gap between when the vendor releases the patch and when administrators apply it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q
  1. How to protect systems against zero-day exploits
A

ensure that you are not running unneeded services and protocols.
• enable network based and host based firewalls
• use IDS and IPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
  1. What is Exploit Wednesday?
A

Exploit Wednesday is when attackers often try to reverse- engineer patches to understand them, and then exploit them the next day.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  1. What is malicious code?
A

Malicious code is any script or program that performs unwanted, unauthorised, or unknown activity on a computer system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  1. List some types of malicious codes
A

virus, worms, trojan horse, destructive macros, and logic bombs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q
  1. What is drive-by download?
A

Drive-by downloads are codes downloaded and installed on a user’s system without the user’s knowledge.
• Attackers modify the code on a web page and when the user visits, the code downloads and installs malware on the user’s system without the user’s knowledge or consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
  1. What is a Man-in-the-middle (MITM) attack?
A

A man-in-the-middle attack occurs when a malicious user can logically gain a position between two endpoints of an ongoing communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q
  1. List 2 types of man-in-the-middle attacks (MITM):
A
  • One involves copying or sniffing traffic between 2 parties (sniffer attack)
  • other involves attacker positioning themselves in the line of communication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
  1. What is Employee Sabotage
A

Employee Sabotage is a criminal act of destruction or disruption committed against an organisation by an employee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
  1. How to safeguard against employee sabotage:
A

intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and properly compensating and recognizing employees for their contributions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
  1. What is Espionage?
A

Espionage is the malicious act of gathering proprietary, secret, private, sensitive or confidential information about an organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
  1. List some Countermeasures for Espionage:
A

Countermeasures against espionage are to strictly control access to all non-public data, thoroughly screen new employee candidates, and efficiently track all employee activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
  1. What is intrusion detection
A

Intrusion detection is a specific form of monitoring that monitors recorded information and real time events to detect abnormal activity indicating a potential incident or intrusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
  1. What are Intrusion Detection Systems?
A

Intrusion Detection Systems automates the inspection of logs and real time system events to detect intrusion attempts and system failures.

41
Q
  1. IDPS means:
A

Intrusion Detection and Prevention Systems.

42
Q
  1. IDSs are effective in detecting____ and ____ attacks:
A

DoS and DDoS attacks.

43
Q

IDS evaluates data and can detect malicious behaviour using two common methods, list them:

A

Knowledge-Based Detection and Behaviour Based Detection.

44
Q
  1. What is Knowledge-based detection?
A

Knowledge-Based Detection is also called Signature-Based Detection or Pattern Matching Detection.
• Real-time traffic is matched against the database, and if IDS finds a match, it raises an alert.

45
Q
  1. What is Behaviour Based Detection?
A

Behaviour Based Detection starts by creating a baseline of normal activities and events on the system.
• It is also known as statistical intrusion detection, heuristics based detection.
• The primary drawback for a behaviour-based IDS is that it often raises a high number of false alarms, also called false alerts or false positives.

46
Q
  1. What are SIEM Systems?
A

Security Information and Event Management (SIEM) Systems. many IPSs and IDSs send Collected Data to a Security Information and Event System (SIEM). A SIEM system also collects data from other sources within the network.
• It provides real-time monitoring of traffic and analysis and notification of potential attacks.
• Additionally, it provides long-term storage of data, allowing security professionals to analyse the data.

47
Q
  1. Explain passive IDS response:
A

Passive Response logs the event and sends a notification. e.g. emails, texts, messages etc.

48
Q
  1. Explain active IDS responses
A

An active IDS logs and notifies personnel just as a passive IDS does, but it can also change the environment to thwart or block the attack.

For example, it can modify access control lists (ACLs) on firewalls to block offending traffic, close processes on a system that were caused by the attack, or divert the attack to a safe environment, such as a honeynet or honeypot.

49
Q
  1. Types if Intrusion Detection Systems (IDS)
A

Host-based IDS (HIDS) or Network-based IDS (NIDS)

50
Q
  1. What is Host-based Intrusion Detection System (HIDS)
A

HIDS monitors a single computer or host.

• mostly installed on servers

51
Q
  1. What is Network-based Intrusion Detection System (NIDS):
A

NIDS monitor a network by observing network traffic patterns. NIDS evaluate network activity to detect attacks or event anomalies.
• NIDS usually support central admin

52
Q
  1. What are benefits of HIDS over NIDS:
A

HIDS can detect anomalies on the host system that NIDS cannot detect. HIDS

53
Q
  1. _______ can be used as a preventive measure against rogue sniffers.
A

Switches

54
Q
  1. Disadvantages of HIDS:
A

cost and used only on servers. HIDS cannot detect network attacks on other systems. NIDS use central administration

55
Q
  1. NIDS can discover the source of an attack by performing _____and ____:
A

____: Reverse Address Resolution Protocol (RARP) and Reverse Domain Name System (DNS) lookups.

56
Q
  1. ______ are individual computers created as a trap for intruders.
A

Honeypots

57
Q
  1. What are Honeynets?
A

A honeynet is two or more networked honeypots used together to simulate a network.

58
Q
  1. Advantages of honeypots?
A

keeps intruders away from the legitimate network and administrators can observe the mode of attack.

59
Q
  1. What are Pseudo Flaws?
A

Pseudo Flaws are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers. They are often used on honeypot systems to emulate well-known operating system vulnerabilities

60
Q
  1. What are Padded Cells?
A

A padded cell system is similar to a honeypot, but it performs intrusion isolation using a different approach. When an IDPS detects an intruder, that intruder is automatically transferred to a padded cell.

61
Q
  1. What are Warning Banners?
A

Warning Banners inform users and intruders about basic security policy guidelines.

62
Q
  1. Another name for anti-malware is ______:
A

Antivirus

63
Q
  1. What is Whitelisting?
A

Whitelists identifies a list of applications authorised to run on a system. e.g. Apple iOS
• A whitelist would not include malware applications and would block them from running
• Some whitelists identify applications using a hashing algorithm to create a hash.

64
Q
  1. What is Blacklisting?
A

Blacklists identifies the applications that are not authorised to run on a system.

65
Q
  1. What is Jailbreaking?
A

Jailbreaking removes the restrictions on iOS devices and permits root level access to the underlying operating system.

66
Q
  1. What are firewalls?
A

Firewalls protect a network by filtering traffic. Basic firewalls filter traffic based on IP addresses, ports, and some protocols using protocol numbers

67
Q
  1. List some techniques used in penetration testing:
A

Vulnerability scanning, port scans, packet sniffing, DoS attacks and social-engineering techniques.

68
Q
  1. What is Zero-Knowledge Team?
A

A Zero Knowledge team knows nothing about the target site except for publicly available information such as domain name and company address. This is also known as black-box testing.

69
Q
  1. What is Full Knowledge Team?
A

Full Knowledge Team has full access to all target areas. They know patches that are installed and the exact configuration of all the relevant devices.

70
Q
  1. What are Partial-Knowledge Team?
A

A Partial-Knowledge team has some knowledge of the target but are not provided with all the information. This is also grey-box testing.

71
Q
  1. What is logging
A

Logging records events.

72
Q
  1. What is Monitoring?
A

Monitoring reviews events.

73
Q
  1. List some common Log Types:
A

Security Logs, System Logs, Application Logs, Firewall Logs

74
Q
  1. What are Security Logs?
A

System Logs record system events such as when a system starts or stops or when services start or stop.

Security logs contain events related to security, such as login attempts, object access, and file deletion

75
Q
  1. What are System Logs?
A

System Logs record system events such as when a system starts or stops or when services start or stop.

76
Q
  1. What are Application Logs?
A

Application Logs record information for specific applications.

77
Q
  1. What are Firewall Logs?
A

Firewall logs can record events related to any traffic that reaches a firewall.

78
Q
  1. What are Proxy Logs?
A

Proxy Logs control improve the internet access performance for users and can control what websites users can visit.
• Proxy logs include the ability to record details such as what sites specific users visit and how much time they spend on these sites. They can also record when users attempt to visit known prohibited sites.

79
Q
  1. What are audit trails?
A

Audit Trails are records created when information about events and occurrences are stored in one or more databases or log files.

80
Q
  1. What is monitoring?
A

Monitoring is a process of reviewing information logs looking for something specific

81
Q
  1. What is log analysis?
A

Log analysis is a detailed and systematic form of monitoring in which the logged information is analysed for trends and patterns as well as abnormal, unauthorised, illegal and policy violating activities.

82
Q
  1. What is sampling?
A

Sampling or Data Extraction is a process of extracting meaningful information from a large collection of data to construct a meaningful representation or summary of the whole.

83
Q
  1. what is clipping?
A

Clipping is nonstatistical sampling. It selects only events tat exceed a clipping level which is predefined threshold for the event. the system ignores the even until it reaches that threshold. e.g. account lockout.

84
Q
  1. List some monitoring tools:
A
Keystroke Monitoring
•	Traffic and Trend Analysis
•	Egress Monitoring
•	Data Loss Prevention
•
85
Q
  1. What is keystroke monitoring?
A

Keystroke Monitoring is the act of recording the keystrokes a user performs on a physical keyboard. e.g. use of a keylogger.

86
Q
  1. What is Traffic Analysis and Trend Analysis?
A

Traffic Analysis and Trend Analysis are forms of monitoring that examine the flow of packets rather than the actual packet contents.
• It is also known as Network Flow Monitoring.

87
Q
  1. What is Egress Monitoring?
A

Egress Monitoring involves the monitoring of outgoing traffic to prevent data exfiltration.

88
Q
  1. What is Data Exfiltration?
A

Data Exfiltration is the unauthorised transfer of data outside the organisation.

89
Q
  1. List some methods of preventing Data Exfiltration
A

Data Loss Prevention (DLP) techniques, steganography, watermarking.

90
Q
  1. What are Data Loss Prevention (DLP) systems?
A

Data Loss Prevention (DLP) systems attempt to detect and block data exfiltration attempts.

91
Q
  1. What are Pattern matching DLP systems?
A

Pattern-matching DLP systems look for specific patterns.

92
Q
  1. List the 2 types of DLP systems
A

Network-based DLP and Endpoint-based DLP

NB: DLP system doesn’t have the ability to decrypt data

93
Q
  1. What is Network-based DLP?
A

Network-based DLP scans all outgoing data looking for specific data. It sends alert to admin.

94
Q
  1. What is Endpoint-based DLP?
A

An endpoint-based DLP scans files stored on a system as well as files sent to external devices, such as printers.

95
Q
  1. What is watermarking?
A

Watermarking is the practice of embedding an image or pattern in paper that isn’t readily perceivable.

96
Q
  1. What is Auditing?
A

Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorised occurrences or crimes

97
Q
  1. Example of due care
A

audits

98
Q
  1. What are interim reports?
A

Interim Report is a written or verbal report given to the organisation about any observed security weakness or policy/procedure mismatches that demand immediate action.