Chapter 7 - Software Deployment, Operations, Maintenance, Disposal

Question 1

What do you need to do with software to ensure it continues to function as expected after deployment?

Answer 1

Monitor it.
Address incidents that impact the software
Patch vulnerabilities
Identify the conditions under which the software should be replaced

Question 2

What is the goal of configuration management according to ITIL?

Answer 2

to enable the control of the infrastructure by monitoring and maintaining information on all the resources that are necessary to deliver services.

Question 3

What are the pre and post installation security configuration management considerations?

Answer 3

Hardening
Enforcement of security principles
Environment configuration
Bootstrapping and secure startup

Question 4

What is hardening?

Answer 4

The process of securing the host hardware and operating system, securing it to the most appropriate level for its purpose.

Question 5

What is a MSB?

Answer 5

Minimum Security Baseline.

Question 6

What are the some common security misconfigurations?

Answer 6

Hard coded credentials or keys, especially in plain text

Allowing directory listings in a web server

Installing software with default accounts or settings

Installing an administrative console with default configuration settings

Unneeded services, ports, protocols, unused pages, unprotected directories.

Missing software patches

No permeter controls, such as firewalls and filters

Enabling tracing and debugging, which can reveal sensitive state information to an attacker.

Question 7

What are some methods for hardening software?

Answer 7

Remove maintenance hooks
Remove debugging code and flags
Remove unneeded comments and sensitive information from code

Question 8

Why shouldn’t developers install software on production systems?

Answer 8

It violates the principle of separation of duties.

Question 9

Why is granting administrative rights to software during installation a problem?

Answer 9

It violates least privilege.

Question 10

Describe defense in depth violations in software installation

Answer 10

Enablind disabled services, ports, and protocols so software can run.

Question 11

What is the pdb file?

Answer 11

The Program Database File holds debugging and project state information. It is used to link the debug configuration of the program incrementally, but can be used to discover the internal workings of the software.

Question 12

What is a CMDB?

Answer 12

Configuration Management Database. It records all the assets in theorganization. ISO/IEC 15408 (Common Criteria) requires that the implementation, documentation, tests, project-related documentation, and tools, including build tools, are maintained in a configuration management system (CMS).

Question 13

What is booting or bootstrapping?

Answer 13

The sequence of events and processes that self-start the system to a preset state. Also called IPL.

Question 14

What is IPL?

Answer 14

Initial Program Load. Synonymous with bootstrapping.

Question 15

What is POST?

Answer 15

Power On Self Test.

The first step in bootstrapping/IPL. Needs to be protected so the TCB is maintained.

Question 16

What is secure startup?

Answer 16

The collection of processes and mechanisms that assure the environment’s TCB integrity when the system or software running on the system starts. It is usually implemented using the hardware’s trusted platform module (TPM) chip, which provides heightened tamperproof data protection during startup.

Question 17

What is TPM?

Answer 17

Trusted Platform Module.

chip can be used for storing cryptographic keys and providing identification information on mobile devices for authentication and access management. Physically, the TPM chip is located on the motherboard and is commonly used to create a unique system fingerprint within the boot process.

Question 18

Describe how acceptable risk and residual risk should interplay.

Answer 18

The level of residual risk in an installation should be below the level of acceptible risk, unless that risk has been formally accepted.

Question 19

What are detective controls?

Answer 19

Controls that build historical evidence of user and system/process actions.

Auditing and IDS.

Question 20

What are preventive controls?

Answer 20

Controls that make the success of the attcker difficult.

Input validation, output encoding, bounds checking, patching, and intrusion prevention systems (IPS)

Question 21

What are deterrent controls?

Answer 21

Controls that dissuade an attacker without actually preventing the action.
Auditing.

Question 22

What are corrective controls?

Answer 22

Controls that return the system to its correct state in the event of a failure.

Load balancing, clustering, and failover of data and systems

Question 23

What are compensating controls?

Answer 23

Controls that are implemented when the prescribed software controls (by policy or requirement) can’t be met due to legitimate constraints.

Question 24

What are the PCI DSS requirements for compensating controls?

Answer 24

Meet the intent and rigor of the original requirement.
Provide a similar level of defense as the original requirement.
Be part of a defense in depth implementation so that other requirements are not adversely impacted.
Be commensurate with additional risk imposed by not adhering to the requirement.

Question 25

What should be monitored?

Answer 25

Broadly, anything that poses a repultational risk to the business.

This could include any operations that can cause a disruption to the business (business continuity operations) and/or operations that are administrative, critical, and privileged in nature. Additionally, systems and software that operate in environments that are of low trust, such as in a demilitarized zone (DMZ), must be monitored.

Question 26

What are the primary ways in which monitoring is accomplished?

Answer 26

Scanning

Logging

Intrusion detection

Question 27

What are the primary ways in which monitoring is accomplished?

Answer 27

Scanning

Logging

Intrusion detection

Question 28

What are the core security objectives of auditing?

Answer 28

7.4.1.3

Question 29

What is a bastion host?

Answer 29

7.4.1.3

Question 30

What is a honeypot?

Answer 30

7.4.1.3

Question 31

What are the characteristics of good metrics?

Answer 31

Consistency

Quantitative: a number or percentage, not a vague “high, medium, low”

Objective

Contextually specific

Inexpensive

Question 32

What is the difference between an event, an alert, and an incident.

Answer 32

An event is any action that is directed at an object that attempts to change it’s state.

An alert is generated for an event that matches a preset condition or pattern, typically because the event can be expected to have negative consequences.

An incident violates or threatens to violate the security policy of the network, system, or software applications.

Question 33

What are the major incident types?

Answer 33

DoS
Malicious code
Unauthorized access
Inappropriate usage
Multiple component (encompasses more than one incident)

Question 34

Describe the Incident Response Process

Answer 34

1. Preparation
2. Detection and analysis
   3 Containment, eradiciation, and recovery
3. Postincident activity

Question 35

What are the 5 Ws of postincident analysis?

Answer 35

What happened?
    When did it happen?
    Where did it happen?
    Who was involved?
    Why did it happen?

Why is most important.

Question 36

What is the difference between incident management and problem managemetn?

Answer 36

Incident management aims at restoring service and business operations as quickly as possible, whereas problem management is focused on improving the service and business operations.

Question 37

What is the difference between a problem and an known error?

Answer 37

When the cause of an incident is unknown, it is said to be a problem. A known error is an identified root cause of a problem.

Question 38

What are the two CSFs of problem management?

Answer 38

Avoiding repeated incidents

Minimize the adverse impacts of incidents and problems on the business.

Question 39

What is the Problem Management Process Flow

Answer 39

1. Incident Notification
2. Root cause analysis
3. Solution determination
4. Request for change
5. Implement solution
6. Monitor and report

Question 40

Describe RCA

Answer 40

Root Cause Analysis

Asking “Why did the problem happen?” repeatedly and systematically until htere are no more reasons.

Litmus test: When you identify the root cause and fix it, the problem no longer exists. If that’s not true, you haven’t found the root cause.

Question 41

What is a fishbone diagram?

Answer 41

A tool used in Root Cause Analysis

Question 42

What’s the differnece between incident management and problem management?

Answer 42

Incident management treats symptoms (reboot it). Problem management addresses the core of the problem.

Question 43

What is the difference between a Hotfix and a Service Pack?

Answer 43

A hotfix is a functional or security patch that is provided by the software vendor or developer. It usually includes no new functionality or features and makes no changes to the hardware or software. Also called a QFE (Quick Fix Engineering).

A Service Pack is usually a rollup of multiple hotfixes and may also provide additional enhancements and functionality.

Question 44

What is disposal?

Answer 44

Discarding medai without giving any considerations to sanitization.

Question 45

What is sanitization?

Answer 45

The catchall term for removing data from media.

Question 46

What is clearing?

Answer 46

Sanitizing by overwriting logical and addressible storage with nonsensitive random data.

Data remanance can be an issue, and it doesn’t work on damaged or write-once media.

Question 47

What is purging?

Answer 47

Santitizing media by rendering the data into an unrecoverable state. Degaussing. ATA Secure Erase.

Question 48

What is destruction?

Answer 48

A method of ensuring that the media can no longer be reused and the recovery of data is virtually impossible.

Disintigration, pulverization, melting, incineration, shredding.

Question 49

What is cause mapping?

Answer 49

A problem solving method that draws out, visually, the multiple chains of interconnecting causes that lead to an incident. The method, which breaks problems down into specific cause-and-effect relationships, can be applied to a variety of problems and situations.

Question 50

What is an Ishikawa diagram?

Answer 50

Also known as the fishbone diagram or cause and effect diagram.

Question 51

What are KPIs?

Answer 51

Metrics used by organizations to measure their progress toward their goals.

Question 52

Occurs when there are significant changes to the information system affecting the security of the system or when a specified time period has elapsed in accordance with federal or agency policy.

Answer 52

Reaccreditation

Question 53

What is included in Software Configuration Management?

Answer 53

Versioning, backups, check-in and check-out practices, and management of software configuration.