Chapter 7: Security Operations Flashcards
Operations Security
Security is primarily concerned with the protection and control of information processing assets in centralized and distributed environments
Security Operations
are primarily concerned with the daily tasks required to keep security services operating reliable and efficiently. Operations security is a quality of other services. Security operations is a service in its own right”
control Mechanisms
Protect information and resources from unauthorized disclosure, modification, and destruction
Types of Control Mechanisms
PhysicalAdministrativeTechnical
Administrative Controls
Development of policies, standards, and procedures Screening personnel, security awareness training, monitoring system and network activity, and change controlExample: - Procedures indicating how servers should be installed, annual security awareness education for all employees, implementing a change control program.
Technical Controls
Logical mechanisms that provide password and resource management, identification and authentication, and software configurationsExample: - Anti-virus software, intrusion detection systems, locking down operating systems, encryption, firewalls.
Physical Controls
Protecting individual systems, the network, employees, and the facility from physical damageExample: - Removing floppy drives from computers, locking chassis’s, security guards monitoring the facility, air conditioning and humidity control.
Preventative Access Control
Controls to prevent undesirable events from taking place
Detective Access Control
Controls used to identify undesirable events that have occurred.
Corrective Access Control
Controls Used to Correct effects of undesirable events.
Deterrent Access Control
Controls used to discourage security violations
Recovery Access Control
Controls used to restore resources and capabilities
Compensation Access Control
Controls used to provide alternate solutions
MTBF
mean time to failure how long will a device last
MTTR
mean time to repair how long for the recovery
RAID - 0
Disk striping
Raid 1
mirroring
Raid 5
Disk striping with parity: fault tolerance + speed
Clustering
2 or more nodes acting as a single or logical entity. can provide load balancing but not always.
Full Backup
Archive bit is reset (is is a flag saying hey i got backed up)
Incremental Backup
Backs up all files that have been modified since last backupArchive Bit is reset
Differential Backup
Backs up all files that have been modified since last full backupArchive Bit is not resetAlways will have to restore 2 tapes
Copy Backup
Same as full backup, but Archive Bit is not resetUse before upgrades, or system maintenanceCopy backup before making a system backup.
configuration management
a process of identifying and documenting hardware components, software and the associated settings.” including bios settings…etc.everything needs to be documented
System Hardening
Removing Unnecessary ServicesInstalling the latest services packs and patchesRenaming default accountsChanging default settingsEnabling security configurations like auditing, firewalls, updates, etcDon’t forget physical security!
Change Management
Directive, Administrative Control that should be incorporated into organizational policy. The formal review of all proposed changes–no “on-the-fly” changes Only approved changes will be implementedThe ultimate goal is system stabilityPeriodic reassessment of the environment to evaluate the need for upgrades/modificationsknow the flow of how it works*
Change management process
Request SubmittalRisk/Impact AssessmentApproval or Rejection of ChangeTestingScheduling/User Notification/TrainingImplementationValidationDocumentation
Patch Management
An essential part of Configuration and Change ManagementMay come as a result of vendor notification or pen testingCve.mitre.org (Common Vulnerability and Exposures) database provides standard conventions for known vulnerabilitiesNvd.nist.gov Enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, incorrect configurations, product names, and impact metrics. www.cert.gov: Online resource concerning common vulnerabilities and attacks
Trusted Recovery
System reboot, emergency system restart, system cold startNo compromise of protection mechanisms or possibility of bypassing themPreparing system for failure and recovering the systemFailure of system cannot be used to breach securityFails - in a secure manner….
Media Management
Production Libraries–Holds software used in production environmentProgrammer Libraries–Holds work in progressSource Code Libraries–Holds source code and should be escrowed (3rd Party Storage)Media Library–Hardware centrally controlled
Media Librarian
Librarian to control accessLog who takes what materials out and whenMaterials should be properly labeledMedia must be properly sanitized when necessaryZeroization (Previous DoD standards required seven wipes. Currently, only one is required.)Degaussing (Only good for magnetic media)Coercivity: Amount of energy required to reduce the magnetic field to zeroPhysical destruction (The best means of removing remnants).
Identity Management
Controls the lifecycle for all accounts is a system
Access Managament
Controls the assignment of rights/privileges to those accounts.
ID and Access management per ISC2
“focus on harmonizing the provisioning of users and managing their access across multiple systems with different native access control systems”.
Security Review
Conducted by system maintenance or security personnel Goal is determine vulnerabilities within a system. Also known as a vulnerability assessment
Security Audit
Conducted by 3rd partyDetermines the degree to which required controls are implemented
Vulnerability Assesment
Physical / Administrative/ LogicalIdentify weaknessesless intrusive
PEN Testing
Ethical hacking to validate discovered weaknessesRed Teams (Attack)/Blue Teams (Defend)
Zero Knowledge attack
(Black Box Testing): Team has no knowledge of the target and must start with only information that is publically available. This simulates an external attack
Partial Knowledge attack
The team has limited knowledge of the organization
Full Knowledge attack
This simulates an internal attack. The team has full knowledge of network operations
Blind PEN
attacker have no internal staff know
Double Blind
attack have no internal structure staff doesn’t know what’s up
Targeted
Staff works with pen guys on specific things
Attack Methodology 1 of 2
- Reconnaissance WhoIs Database, Company Website, Job Search Engines, Social Networking2. Footprinting Mapping the network (Nmap) ICMP ping sweeps DNS zone transfers3. Fingerprinting Identifying host information Port scanning4. Vulnerability assessment Identifying weaknesses in system configurations Discovering unpatched software
Attack Methodology 2 of 2
- The “attack” Penetration Privilege escalation Run As, SU Root kits Colllection of tools to allow continued access. Includes Back Door softwareCan update the kernel of the operating systemVery difficult to detect Cover tracksTrojaned Programs: The Attacker replaces default utilities with ones that masquerade as system utilities that provide normal services, with the exception of helping identifiy the backdoor softwareLog Scrubbers
Why PEN Test???
Risk analysisCertificationAccreditationSecurity architecturesPolicy developmentResponsible approach to overall securityBoost company’s position in marketplace
Why do PEN test work?
Lack of awarenessPolicies not enforced Procedures not followedDisjointed operations between departmentsSystems not patched
PEN Test Requiremetn
Three basic requirements:Defined goal, which should be clearly documentedLimited timeline outlined with managementApproved by senior management; only management should approve this type of activitySIGNED OFF….
PEN Rules of Engagement
Specific IP addresses/ranges to be tested Any restricted hostsA list of acceptable testing techniquesTimes when testing is to be conductedPoints of contact for the penetration testing team, the targeted systems, and the networks Measures to prevent law enforcement being called with false alarmsHandling of information collected by penetration testing team
3 Types of PEN Test
Physical Security –Access into building or department–Wiring closets, locked file cabinets, offices, server -room, sensitive areasRemove materials from buildingAdministrative Security—Help desk giving out sensitive information, data on disposed disksLogical Security–Attacks on systems, networks, communication
nmap
a port scanner
vulnerability scanning
ID’ing:Active hosts on network Active and vulnerable services (ports) on hostsApplicationsOperating systemsVulnerabilities associated with discovered OS & applicationsMisconfigured settings
dictionary attack
goes through dictionary
Brute Force
try every single pass combo
Rainbow Table
Trying to find a match to the hash
Rogue Infrastructures
unathorized dhcp and dns servers
War Dialing
trying to find modem lines
PEN discover serious issue
stop and report
Log Reviews
Periodically check the logs…good to be proactive and taking a look
side channel attacks
looking where traffic is going
traffic padding
Generating spurious data in traffic to make traffic analysis more difficultSending out decoy attacksThe amount and nature of traffic may be maskedAttempt to keep traffic constant so no information can be gained
IDS
Software is used to monitor a network segment or an individual computerUsed to detect attacks and other malicious activityDynamic in naturePASSIVE SYSTEM***** a glorified snifferhas analysis engine
Network Based IDS
Monitors traffic on a network segmentComputer or network appliance with NIC in promiscuous modeSensors communicate with a central management consolesniffer with analysis engine
Host Based IDS
Small agent programs that reside on individual computerDetects suspicious activity on one system, not a network segment
where put IDS
in the DMZ
Difference between IDS and Sniffer
the anlysis engine with works like this you hunk:Pattern Matching-Rule-Based Intrusion Detection-Signature-Based Intrusion Detection-Knowledge-Based Intrusion DetectionProfile Comparison-Statistical-Based Intrusion Detection-Anomaly-Based Intrusion Detection-Behavior-Based Intrusion Detection
Sig Based IDS Systems
Signature-based—MOST COMMONIDS has a database of signatures, which are patterns of previously identified attacksCannot identify new attacks Database needs continual updates
Behaviors IDS system
Behavior-basedCompares audit files, logs, and network behavior, and develops and maintains profiles of normal behaviorBetter defense against new attacksCreates many false positives
IDS response options
Passive:Page or e-mail administratorLog eventActiveSend reset packets to the attacker’s connectionsChange a firewall or router ACL to block an IP address or rangeReconfigure router or firewall to block protocol being used for attack
IDS Portspan
make switch act like hub for IDS captures
Permiscous mode
IDS Needs an interface that gets everything…
Insertion Attack
disguising malicious code
honeypot
a distractorPseudo Flaw: Loophole purposely added to operating system or application to trap intruders Sacrificial lamb system on the networkAdministrators hope that intruders will attack this system instead of their production systemsIt is enticing because many ports are open and services are runninghoneynet- a collection of honeyposts
Enticement vs Entrapment
make it look vunerable keep attacker buys
padded cell
and area of isolation like java…a sandbox
Phishing
Social engineering crazy email to entice user.
spoofing
emails that look authentic
whitelist
all traffic is denied except…what is on list.
