Chapter 7: Security Operations

Question 1

Operations Security

Answer 1

Security is primarily concerned with the protection and control of information processing assets in centralized and distributed environments

Question 2

Security Operations

Answer 2

are primarily concerned with the daily tasks required to keep security services operating reliable and efficiently. Operations security is a quality of other services. Security operations is a service in its own right”

Question 3

control Mechanisms

Answer 3

Protect information and resources from unauthorized disclosure, modification, and destruction

Question 4

Types of Control Mechanisms

Answer 4

PhysicalAdministrativeTechnical

Question 5

Administrative Controls

Answer 5

Development of policies, standards, and procedures Screening personnel, security awareness training, monitoring system and network activity, and change controlExample: - Procedures indicating how servers should be installed, annual security awareness education for all employees, implementing a change control program.

Question 6

Technical Controls

Answer 6

Logical mechanisms that provide password and resource management, identification and authentication, and software configurationsExample: - Anti-virus software, intrusion detection systems, locking down operating systems, encryption, firewalls.

Question 7

Physical Controls

Answer 7

Protecting individual systems, the network, employees, and the facility from physical damageExample: - Removing floppy drives from computers, locking chassis’s, security guards monitoring the facility, air conditioning and humidity control.

Question 8

Preventative Access Control

Answer 8

Controls to prevent undesirable events from taking place

Question 9

Detective Access Control

Answer 9

Controls used to identify undesirable events that have occurred.

Question 10

Corrective Access Control

Answer 10

Controls Used to Correct effects of undesirable events.

Question 11

Deterrent Access Control

Answer 11

Controls used to discourage security violations

Question 12

Recovery Access Control

Answer 12

Controls used to restore resources and capabilities

Question 13

Compensation Access Control

Answer 13

Controls used to provide alternate solutions

Question 14

MTBF

Answer 14

mean time to failure how long will a device last

Question 15

MTTR

Answer 15

mean time to repair how long for the recovery

Question 16

RAID - 0

Answer 16

Disk striping

Question 17

Raid 1

Answer 17

mirroring

Question 18

Raid 5

Answer 18

Disk striping with parity: fault tolerance + speed

Question 19

Clustering

Answer 19

2 or more nodes acting as a single or logical entity. can provide load balancing but not always.

Question 20

Full Backup

Answer 20

Archive bit is reset (is is a flag saying hey i got backed up)

Question 21

Incremental Backup

Answer 21

Backs up all files that have been modified since last backupArchive Bit is reset

Question 22

Differential Backup

Answer 22

Backs up all files that have been modified since last full backupArchive Bit is not resetAlways will have to restore 2 tapes

Question 23

Copy Backup

Answer 23

Same as full backup, but Archive Bit is not resetUse before upgrades, or system maintenanceCopy backup before making a system backup.

Question 24

configuration management

Answer 24

a process of identifying and documenting hardware components, software and the associated settings.” including bios settings…etc.everything needs to be documented

Question 25

System Hardening

Answer 25

Removing Unnecessary ServicesInstalling the latest services packs and patchesRenaming default accountsChanging default settingsEnabling security configurations like auditing, firewalls, updates, etcDon’t forget physical security!

Question 26

Change Management

Answer 26

Directive, Administrative Control that should be incorporated into organizational policy. The formal review of all proposed changes–no “on-the-fly” changes Only approved changes will be implementedThe ultimate goal is system stabilityPeriodic reassessment of the environment to evaluate the need for upgrades/modificationsknow the flow of how it works*

Question 27

Change management process

Answer 27

Request SubmittalRisk/Impact AssessmentApproval or Rejection of ChangeTestingScheduling/User Notification/TrainingImplementationValidationDocumentation

Question 28

Patch Management

Answer 28

An essential part of Configuration and Change ManagementMay come as a result of vendor notification or pen testingCve.mitre.org (Common Vulnerability and Exposures) database provides standard conventions for known vulnerabilitiesNvd.nist.gov Enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, incorrect configurations, product names, and impact metrics. www.cert.gov: Online resource concerning common vulnerabilities and attacks

Question 29

Trusted Recovery

Answer 29

System reboot, emergency system restart, system cold startNo compromise of protection mechanisms or possibility of bypassing themPreparing system for failure and recovering the systemFailure of system cannot be used to breach securityFails - in a secure manner….

Question 30

Media Management

Answer 30

Production Libraries–Holds software used in production environmentProgrammer Libraries–Holds work in progressSource Code Libraries–Holds source code and should be escrowed (3rd Party Storage)Media Library–Hardware centrally controlled

Question 31

Media Librarian

Answer 31

Librarian to control accessLog who takes what materials out and whenMaterials should be properly labeledMedia must be properly sanitized when necessaryZeroization (Previous DoD standards required seven wipes. Currently, only one is required.)Degaussing (Only good for magnetic media)Coercivity: Amount of energy required to reduce the magnetic field to zeroPhysical destruction (The best means of removing remnants).

Question 32

Identity Management

Answer 32

Controls the lifecycle for all accounts is a system

Question 33

Access Managament

Answer 33

Controls the assignment of rights/privileges to those accounts.

Question 34

ID and Access management per ISC2

Answer 34

“focus on harmonizing the provisioning of users and managing their access across multiple systems with different native access control systems”.

Question 35

Security Review

Answer 35

Conducted by system maintenance or security personnel Goal is determine vulnerabilities within a system. Also known as a vulnerability assessment

Question 36

Security Audit

Answer 36

Conducted by 3rd partyDetermines the degree to which required controls are implemented

Question 37

Vulnerability Assesment

Answer 37

Physical / Administrative/ LogicalIdentify weaknessesless intrusive

Question 38

PEN Testing

Answer 38

Ethical hacking to validate discovered weaknessesRed Teams (Attack)/Blue Teams (Defend)

Question 39

Zero Knowledge attack

Answer 39

(Black Box Testing): Team has no knowledge of the target and must start with only information that is publically available. This simulates an external attack

Question 40

Partial Knowledge attack

Answer 40

The team has limited knowledge of the organization

Question 41

Full Knowledge attack

Answer 41

This simulates an internal attack. The team has full knowledge of network operations

Question 42

Blind PEN

Answer 42

attacker have no internal staff know

Question 43

Double Blind

Answer 43

attack have no internal structure staff doesn’t know what’s up

Question 44

Targeted

Answer 44

Staff works with pen guys on specific things

Question 45

Attack Methodology 1 of 2

Answer 45

1. Reconnaissance WhoIs Database, Company Website, Job Search Engines, Social Networking2. Footprinting Mapping the network (Nmap) ICMP ping sweeps DNS zone transfers3. Fingerprinting Identifying host information Port scanning4. Vulnerability assessment Identifying weaknesses in system configurations Discovering unpatched software

Question 46

Attack Methodology 2 of 2

Answer 46

5. The “attack” Penetration Privilege escalation Run As, SU Root kits Colllection of tools to allow continued access. Includes Back Door softwareCan update the kernel of the operating systemVery difficult to detect Cover tracksTrojaned Programs: The Attacker replaces default utilities with ones that masquerade as system utilities that provide normal services, with the exception of helping identifiy the backdoor softwareLog Scrubbers

Question 47

Why PEN Test???

Answer 47

Risk analysisCertificationAccreditationSecurity architecturesPolicy developmentResponsible approach to overall securityBoost company’s position in marketplace

Question 48

Why do PEN test work?

Answer 48

Lack of awarenessPolicies not enforced Procedures not followedDisjointed operations between departmentsSystems not patched

Question 49

PEN Test Requiremetn

Answer 49

Three basic requirements:Defined goal, which should be clearly documentedLimited timeline outlined with managementApproved by senior management; only management should approve this type of activitySIGNED OFF….

Question 50

PEN Rules of Engagement

Answer 50

Specific IP addresses/ranges to be tested Any restricted hostsA list of acceptable testing techniquesTimes when testing is to be conductedPoints of contact for the penetration testing team, the targeted systems, and the networks Measures to prevent law enforcement being called with false alarmsHandling of information collected by penetration testing team

Question 51

3 Types of PEN Test

Answer 51

Physical Security –Access into building or department–Wiring closets, locked file cabinets, offices, server -room, sensitive areasRemove materials from buildingAdministrative Security—Help desk giving out sensitive information, data on disposed disksLogical Security–Attacks on systems, networks, communication

Question 52

nmap

Answer 52

a port scanner

Question 53

vulnerability scanning

Answer 53

ID’ing:Active hosts on network Active and vulnerable services (ports) on hostsApplicationsOperating systemsVulnerabilities associated with discovered OS & applicationsMisconfigured settings

Question 54

dictionary attack

Answer 54

goes through dictionary

Question 55

Brute Force

Answer 55

try every single pass combo

Question 56

Rainbow Table

Answer 56

Trying to find a match to the hash

Question 57

Rogue Infrastructures

Answer 57

unathorized dhcp and dns servers

Question 58

War Dialing

Answer 58

trying to find modem lines

Question 59

PEN discover serious issue

Answer 59

stop and report

Question 60

Log Reviews

Answer 60

Periodically check the logs…good to be proactive and taking a look

Question 61

side channel attacks

Answer 61

looking where traffic is going

Question 62

traffic padding

Answer 62

Generating spurious data in traffic to make traffic analysis more difficultSending out decoy attacksThe amount and nature of traffic may be maskedAttempt to keep traffic constant so no information can be gained

Question 63

IDS

Answer 63

Software is used to monitor a network segment or an individual computerUsed to detect attacks and other malicious activityDynamic in naturePASSIVE SYSTEM***** a glorified snifferhas analysis engine

Question 64

Network Based IDS

Answer 64

Monitors traffic on a network segmentComputer or network appliance with NIC in promiscuous modeSensors communicate with a central management consolesniffer with analysis engine

Question 65

Host Based IDS

Answer 65

Small agent programs that reside on individual computerDetects suspicious activity on one system, not a network segment

Question 66

where put IDS

Answer 66

in the DMZ

Question 67

Difference between IDS and Sniffer

Answer 67

the anlysis engine with works like this you hunk:Pattern Matching-Rule-Based Intrusion Detection-Signature-Based Intrusion Detection-Knowledge-Based Intrusion DetectionProfile Comparison-Statistical-Based Intrusion Detection-Anomaly-Based Intrusion Detection-Behavior-Based Intrusion Detection

Question 68

Sig Based IDS Systems

Answer 68

Signature-based—MOST COMMONIDS has a database of signatures, which are patterns of previously identified attacksCannot identify new attacks Database needs continual updates

Question 69

Behaviors IDS system

Answer 69

Behavior-basedCompares audit files, logs, and network behavior, and develops and maintains profiles of normal behaviorBetter defense against new attacksCreates many false positives

Question 70

IDS response options

Answer 70

Passive:Page or e-mail administratorLog eventActiveSend reset packets to the attacker’s connectionsChange a firewall or router ACL to block an IP address or rangeReconfigure router or firewall to block protocol being used for attack

Question 71

IDS Portspan

Answer 71

make switch act like hub for IDS captures

Question 72

Permiscous mode

Answer 72

IDS Needs an interface that gets everything…

Question 73

Insertion Attack

Answer 73

disguising malicious code

Question 74

honeypot

Answer 74

a distractorPseudo Flaw: Loophole purposely added to operating system or application to trap intruders Sacrificial lamb system on the networkAdministrators hope that intruders will attack this system instead of their production systemsIt is enticing because many ports are open and services are runninghoneynet- a collection of honeyposts

Question 75

Enticement vs Entrapment

Answer 75

make it look vunerable keep attacker buys

Question 76

padded cell

Answer 76

and area of isolation like java…a sandbox

Question 77

Phishing

Answer 77

Social engineering crazy email to entice user.

Question 78

spoofing

Answer 78

emails that look authentic

Question 79

whitelist

Answer 79

all traffic is denied except…what is on list.