Chapter 7 - Software Deployment, Operations, Maintenance, Disposal Flashcards
What do you need to do with software to ensure it continues to function as expected after deployment?
Monitor it.
Address incidents that impact the software
Patch vulnerabilities
Identify the conditions under which the software should be replaced
What is the goal of configuration management according to ITIL?
to enable the control of the infrastructure by monitoring and maintaining information on all the resources that are necessary to deliver services.
What are the pre and post installation security configuration management considerations?
Hardening
Enforcement of security principles
Environment configuration
Bootstrapping and secure startup
What is hardening?
The process of securing the host hardware and operating system, securing it to the most appropriate level for its purpose.
What is a MSB?
Minimum Security Baseline.
What are the some common security misconfigurations?
Hard coded credentials or keys, especially in plain text
Allowing directory listings in a web server
Installing software with default accounts or settings
Installing an administrative console with default configuration settings
Unneeded services, ports, protocols, unused pages, unprotected directories.
Missing software patches
No permeter controls, such as firewalls and filters
Enabling tracing and debugging, which can reveal sensitive state information to an attacker.
What are some methods for hardening software?
Remove maintenance hooks
Remove debugging code and flags
Remove unneeded comments and sensitive information from code
Why shouldn’t developers install software on production systems?
It violates the principle of separation of duties.
Why is granting administrative rights to software during installation a problem?
It violates least privilege.
Describe defense in depth violations in software installation
Enablind disabled services, ports, and protocols so software can run.
What is the pdb file?
The Program Database File holds debugging and project state information. It is used to link the debug configuration of the program incrementally, but can be used to discover the internal workings of the software.
What is a CMDB?
Configuration Management Database. It records all the assets in theorganization. ISO/IEC 15408 (Common Criteria) requires that the implementation, documentation, tests, project-related documentation, and tools, including build tools, are maintained in a configuration management system (CMS).
What is booting or bootstrapping?
The sequence of events and processes that self-start the system to a preset state. Also called IPL.
What is IPL?
Initial Program Load. Synonymous with bootstrapping.
What is POST?
Power On Self Test.
The first step in bootstrapping/IPL. Needs to be protected so the TCB is maintained.
What is secure startup?
The collection of processes and mechanisms that assure the environment’s TCB integrity when the system or software running on the system starts. It is usually implemented using the hardware’s trusted platform module (TPM) chip, which provides heightened tamperproof data protection during startup.
What is TPM?
Trusted Platform Module.
chip can be used for storing cryptographic keys and providing identification information on mobile devices for authentication and access management. Physically, the TPM chip is located on the motherboard and is commonly used to create a unique system fingerprint within the boot process.
Describe how acceptable risk and residual risk should interplay.
The level of residual risk in an installation should be below the level of acceptible risk, unless that risk has been formally accepted.
What are detective controls?
Controls that build historical evidence of user and system/process actions.
Auditing and IDS.
What are preventive controls?
Controls that make the success of the attcker difficult.
Input validation, output encoding, bounds checking, patching, and intrusion prevention systems (IPS)
What are deterrent controls?
Controls that dissuade an attacker without actually preventing the action.
Auditing.
What are corrective controls?
Controls that return the system to its correct state in the event of a failure.
Load balancing, clustering, and failover of data and systems
What are compensating controls?
Controls that are implemented when the prescribed software controls (by policy or requirement) can’t be met due to legitimate constraints.
What are the PCI DSS requirements for compensating controls?
Meet the intent and rigor of the original requirement.
Provide a similar level of defense as the original requirement.
Be part of a defense in depth implementation so that other requirements are not adversely impacted.
Be commensurate with additional risk imposed by not adhering to the requirement.
What should be monitored?
Broadly, anything that poses a repultational risk to the business.
This could include any operations that can cause a disruption to the business (business continuity operations) and/or operations that are administrative, critical, and privileged in nature. Additionally, systems and software that operate in environments that are of low trust, such as in a demilitarized zone (DMZ), must be monitored.
What are the primary ways in which monitoring is accomplished?
Scanning
Logging
Intrusion detection
What are the primary ways in which monitoring is accomplished?
Scanning
Logging
Intrusion detection
What are the core security objectives of auditing?
7.4.1.3
What is a bastion host?
7.4.1.3
What is a honeypot?
7.4.1.3
What are the characteristics of good metrics?
Consistency
Quantitative: a number or percentage, not a vague “high, medium, low”
Objective
Contextually specific
Inexpensive
What is the difference between an event, an alert, and an incident.
An event is any action that is directed at an object that attempts to change it’s state.
An alert is generated for an event that matches a preset condition or pattern, typically because the event can be expected to have negative consequences.
An incident violates or threatens to violate the security policy of the network, system, or software applications.
What are the major incident types?
DoS Malicious code Unauthorized access Inappropriate usage Multiple component (encompasses more than one incident)
Describe the Incident Response Process
- Preparation
- Detection and analysis
3 Containment, eradiciation, and recovery - Postincident activity
What are the 5 Ws of postincident analysis?
What happened?
When did it happen?
Where did it happen?
Who was involved?
Why did it happen?
Why is most important.
What is the difference between incident management and problem managemetn?
Incident management aims at restoring service and business operations as quickly as possible, whereas problem management is focused on improving the service and business operations.
What is the difference between a problem and an known error?
When the cause of an incident is unknown, it is said to be a problem. A known error is an identified root cause of a problem.
What are the two CSFs of problem management?
Avoiding repeated incidents
Minimize the adverse impacts of incidents and problems on the business.
What is the Problem Management Process Flow
- Incident Notification
- Root cause analysis
- Solution determination
- Request for change
- Implement solution
- Monitor and report
Describe RCA
Root Cause Analysis
Asking “Why did the problem happen?” repeatedly and systematically until htere are no more reasons.
Litmus test: When you identify the root cause and fix it, the problem no longer exists. If that’s not true, you haven’t found the root cause.
What is a fishbone diagram?
A tool used in Root Cause Analysis
What’s the differnece between incident management and problem management?
Incident management treats symptoms (reboot it). Problem management addresses the core of the problem.
What is the difference between a Hotfix and a Service Pack?
A hotfix is a functional or security patch that is provided by the software vendor or developer. It usually includes no new functionality or features and makes no changes to the hardware or software. Also called a QFE (Quick Fix Engineering).
A Service Pack is usually a rollup of multiple hotfixes and may also provide additional enhancements and functionality.
What is disposal?
Discarding medai without giving any considerations to sanitization.
What is sanitization?
The catchall term for removing data from media.
What is clearing?
Sanitizing by overwriting logical and addressible storage with nonsensitive random data.
Data remanance can be an issue, and it doesn’t work on damaged or write-once media.
What is purging?
Santitizing media by rendering the data into an unrecoverable state. Degaussing. ATA Secure Erase.
What is destruction?
A method of ensuring that the media can no longer be reused and the recovery of data is virtually impossible.
Disintigration, pulverization, melting, incineration, shredding.
What is cause mapping?
A problem solving method that draws out, visually, the multiple chains of interconnecting causes that lead to an incident. The method, which breaks problems down into specific cause-and-effect relationships, can be applied to a variety of problems and situations.
What is an Ishikawa diagram?
Also known as the fishbone diagram or cause and effect diagram.
What are KPIs?
Metrics used by organizations to measure their progress toward their goals.
Occurs when there are significant changes to the information system affecting the security of the system or when a specified time period has elapsed in accordance with federal or agency policy.
Reaccreditation
What is included in Software Configuration Management?
Versioning, backups, check-in and check-out practices, and management of software configuration.
