Chapter 5: Security Operations

Question 1

Data Lifecycle

Answer 1

The data security life cycle model is useful because it can align easily with the different roles that people and organizations perform during the evolution of data from creation to destruction (or disposal). It also helps put the different data states of in use, at rest and in motion, into context. Let’s take a closer look.

All ideas, data, information or knowledge can be thought of as going through six major sets of activities throughout its lifetime. Conceptually, these involve:
- Create
- Store
- Use
- Share
- Archive
- Destroy

Question 2

Classification

Question 3

Labeling

Answer 3

Security labels are part of implementing controls to protect classified information. It is reasonable to want a simple way of assigning a level of sensitivity to a data asset, such that the higher the level, the greater the presumed harm to the organization, and thus the greater security protection the data asset requires.

• Highly restricted: Compromise of data with this sensitivity label could possibly put the organization’s future existence at risk. Compromise could lead to substantial loss of life, injury or property damage, and the litigation and claims that would follow.
• Moderately restricted: Compromise of data with this sensitivity label could lead to loss of temporary competitive advantage, loss of revenue or disruption of planned investments or activities.
• Low sensitivity (sometimes called “internal use only”): Compromise of data with this sensitivity label could cause minor disruptions, delays or impacts.
• Unrestricted public data: As this data is already published, no harm can come from further dissemination or disclosure.

Question 4

Retention

Answer 4

Information and data should be kept only for as long as it is beneficial, no more and no less. For various types of data, certain industry standards, laws and regulations define retention periods. When such external requirements are not set, it is an organization’s responsibility to define and implement its own data retention policy. Data retention policies are applicable both for hard copies and for electronic data, and no data should be kept beyond its required or useful life. Security professionals should ensure that data destruction is being performed when an asset has reached its retention limit. For the security professional to succeed in this assignment, an accurate inventory must be maintained, including the asset location, retention period requirement, and destruction requirements.

Question 5

Destruction

Question 6

Remanence

Answer 6

Data that might be left on media after deleting is known as remanence and may be a significant security concern. Steps must be taken to reduce the risk that data remanence could compromise sensitive information to an acceptable level.

Question 7

Ingress Monitoring

Answer 7

Different tools are used depending on whether the risk from the attack is from traffic coming into or leaving the infrastructure. Ingress monitoring refers to surveillance and assessment of all inbound communications traffic and access attempts. Devices and tools that offer logging and alerting opportunities for ingress monitoring include:

• Firewalls
• Gateways
• Remote authentication servers
• IDS/IPS tools
• SIEM solutions
• Anti-malware solutions

Question 8

Egress Monitoring

Answer 8

Egress monitoring is used to regulate data leaving the organization’s IT environment. The term currently used in conjunction with this effort is data loss prevention (DLP) or data leak protection. The DLP solution should be deployed so that it can inspect all forms of data leaving the organization, including:

• Email (content and attachments)
• Copy to portable media
• File Transfer Protocol (FTP)
• Posting to web pages/websites
• Applications/application programming interfaces (APIs)

Question 9

Hashing

Answer 9

Hashing takes an input set of data (of almost arbitrary size) and returns a fixed-length result called the hash value. A hash function is the algorithm used to perform this transformation. When used with cryptographically strong hash algorithms, this is the most common method of ensuring message integrity today.

To be useful and secure, a cryptographic hash function must demonstrate five main properties: 

• Useful: It is easy to compute the hash value for any given message.
• Nonreversible: It is computationally infeasible to reverse the hash process or otherwise derive the original plaintext of a message from its hash value (unlike an encryption process, for which there must be a corresponding decryption process).
• Content integrity assurance: It is computationally infeasible to modify a message such that re-applying the hash function will produce the original hash value.
   
• Unique: It is computationally infeasible to find two or more different, sensible messages that hash to the same value.
• Deterministic: The same input will always generate the same hash, when using the same hashing algorithm.

Question 10

Configuration Management

Answer 10

Configuration management is a process and discipline used to ensure that the only changes made to a system are those that have been authorised and validated. It is both a decision-making process and a set of control processes. If we look closer at this definition, the basic configuration management process includes components such as identification, baselines, updates and patches.

Question 11

Application Server

Answer 11

A computer responsible for hosting applications to user workstations.

Question 12

Asymmetric Encryption

Answer 12

An algorithm that uses one key to encrypt and a different key to decrypt the input plaintext.

Question 13

Checksum

Answer 13

A digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.

Question 14

Ciphertext

Answer 14

The altered form of a plaintext message so it is unreadable for anyone except the intended recipients. In other words, it has been turned into a secret.

Question 15

Cryptanalysis

Answer 15

One who performs cryptanalysis which is the study of mathematical techniques for attempting to defeat cryptographic techniques and/or information systems security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.

Question 16

Cryptography

Answer 16

The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning.

Question 17

DLP

Answer 17

Data Loss prevention

System capabilities designed to detect and prevent the unauthorised use and transmission of information.

Question 18

Decryption

Answer 18

The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key for decryption (which is the same for symmetric encryption, but different for asymmetric encryption). This term is also used interchangeably with the “deciphering.”

Question 19

Degaussing

Answer 19

A technique of erasing data on disk or tape (including video tapes) that, when performed properly, ensures that there is insufficient magnetic remanence to reconstruct data.

Question 20

Digital Signature

Answer 20

The result of a cryptographic transformation of data which, when properly implemented, provides the services of origin authentication, data integrity, and signer non-repudiation.

Question 21

Hardening

Answer 21

A reference to the process of applying secure configurations (to reduce the attack surface) and locking down various hardware, communications systems, and software, including operating system, web server, application server, application, etc. Hardening is normally performed based on industry guidelines and benchmarks, such as those provided by the Center for Internet Security.

According to NIST SP 800-152, hardening is defined as the process of eliminating the means of an attack by simultaneously patching vulnerabilities and turning off nonessential services. “One of the best ways to achieve a hardened system is to have updates, patches, and service packs installed automatically”.

Question 22

Message Digest

Answer 22

A digital signature that uniquely identifies data and has the property such that changing a single bit in the data will cause a completely different message digest to be generated.

Question 23

Operating System

Answer 23

The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (such as the Web server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations.

Question 24

Patch

Answer 24

A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.

Question 25

Patch Management

Answer 25

The systematic notification, identification, deployment, installation and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.

Question 26

Security Governance

Answer 26

The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.

Question 27

Social Engineering

Answer 27

Tactics to infiltrate systems via email, phone, text, or social media, often impersonating a person or agency in authority or offering a gift. A low-tech method would be simply following someone into a secure building.

Question 28

Symmetric Encryption

Answer 28

An algorithm that uses the same key in both the encryption and the decryption processes.

Question 29

Change Management

Answer 29

All significant change management practices address typical core activities: Request For Change (RFC), Approval, and Rollback.

Question 30

Clearing

Answer 30

Clearing is a method used to eliminate the residual physical effects of writing original values to a storage device. This process involves overwriting the data with zeros or ones to ensure the original data cannot be retrieved. For example, when a hard disk is erased, all previously stored data is overwritten, making it impossible to recover the original data.