Chapters 7-9 Flashcards
What is a Security Audit?
Independent review of a system’s records and activities to determine adequacy of system controls, compliance, detect breaches, and change recommendations.
What is the Objective of a Basic Security Audit?
Establish accountability for security system entities
What is a Security Audit Trail?
Chronological record of system activities that can reconstruct and examine a sequence of environments and activities
Common Criteria for an Event
- Introduction of Objects
- Deletion of Objects
- Distribution or Revocation of Access Rights or Capabilities
- Changes to Subject or Security Attributes
- Policy Checks by Security Software
- Use of Access Rights to Bypass Policy Check
- Use of Identification and Authentication Functions
- Security-related actions of user
- Import/Export of data from/to Removable Media
What are the Event Detection Criteria?
- Appropriate Hooks must be Available
- Monitoring Software needs to be Added
- Event Recording Function is Needed
- Audit Trail Analysis Software Tools May be Used to Analyze Collected Data
- Additional Security for Auditing Function
- Auditing System Should Have Minimal Effect on Functionality
What are the Implementation Guidelines?
- Agree on Audit Requirements with Management
- Scope of Technical Audit Tests Should be Agreed and Controlled
- Audit Tests should be Limited to Read-only Access to Software and Data
- Excemptions of 3 Should Only be on Isolated Copies of System Files
- Additionaly Requirements for Processing Should be Identified and Agreed
- Auditint Tests that Limit Availability Should be Run Outside Business Hours
- All Access Should be Monitored and Logged
What Should Be Collected in an Auditing Trail?
- Events Related to Use of Auditing Software
- Events Related to Security Mechanisms
- Events Collected for Use By Security Detection and Prevention Mechanisms
- Events Related to System Management and Operation
- Operating System Access
- Application Access of Selected Applications
- Remote Access
What are Physical Access Audit Trails?
Audit Trails Generated By Equipment that Control Physical access
What are the Data of Interest of Physical Access Audit Trails?
- Date/time/location/ of Access
- Valid and Invalid Access Attempts
- Attempts to Add/Modify/Delete Physical Access Privileges
What is a Hook?
Capture Points that Trigger Data Collection and Storage, depends on OS and Applications Involved
What is Contained in an Event Log?
- Numeric Identification Code
- Set of Attributes
- Optional User-supplied Data
What are the 3 Types of Event Logs?
- System
- Application
- Security
What are the Windows Event Categories?
- Account Logon Events
- Account Management
- Directory Service Access
- Logon Events
- Object Access
- Policy Changes
- Privilege Use
What are the UNIX Syslog Elements?
- syslog() : API referenced by several standard system utilities
- logger : Command to add single-line entries to system log
- /etc/syslog.conf : Config file used to control logging and routing of system log events
- syslogd : Daemon to receive/route log events
What is a Syslog Service?
- Means of Capturing Relevant Events
- Storage Facility
- Protocol for Transmitting syslog Messages from Other Machines to a Syslog Server
What Add-on Features Can be Included in the Syslog Service?
- Robust Filtering
- Log Analysis
- Event Response
- Alternative Message Formats
- Log File Encryption
- Database Storage
- Rate Limiting
What is a Syslog Protocol?
Transport Allowing Hosts to Send IP Event Notification Messages to Syslog Servers
What do Messages in the BSD Syslog Format Consist of?
- PRI : facilities/severity code
- Header : timestamp and hostname/IP address
- Msg - program name and content
What are Interposable Libraries?
Allows the generation of audit data without needing to recompile the system libraries or application
What are the Three Types of Interposable Libraries?
- Statistically Linked Libraries
- Statically Linked Shared Libraries
- Dynamicall Linked Shared Libraries
What is a Statically Linked Library?
Separate Copy of the Linked Library function is loaded into the program’s virtual memory
What is a Statically Linked Shared Library?
Referenced Shared Object is Incorporated into the Target Executable at Link Time by the Link Loader
Dynamically Linked Shared Libraries
The linking to shared library routines is deferred until load time
Dynamic Binary Rewriting
Postcompilation technique that directly changes the binary code of executables
What are Loadable Modules?
Modules that can automatically be loaded and unloaded on demand
What are the Types of Audit Trail Analysis
- Audit Trail After an Event: focuses on audit trail entries relevant to a specific event
- Periodic Review: review bulk data to identify problems and behavior
- Real-time Audit Analysis: part of intrusion detection
What is an Audit Review
- Provides administrator with information from selected audit records
- Used to Provide Security Baseline
What are the Approaches to Data Analysis?
- Basic Alerting: Indicate interesting event occurred
- Baselining: Define normal versus unusual events/patterns and compare it to new data
- Windowing: detection of events within given set of parameters
- Correlation: seeks relationship among events
What are SIEM Systems?
Centralized logging software package that is similar but more complex that syslog
What are the 2 general configuration approaches?
- Agentless: server receives data from log-generating hosts without special software
- Agent-based: agent program installed on host performs filtering and aggregation and transmit it to server for analysis and storage
What are the 4 Processes of Access Control?
- Identification
- Authentication
- Autherization
- Accountability
What is Identification?
Mechanism that provides Information about a supplicant that requests access
What is an ID?
An identifier is a unique label applied to a supplicant
What are the Authentication Mechanism Types?
- Something you Know
- Something you Have
- Something you are
- Something you produce
What is Strong Authentication?
A system that uses two different authentication mechanism types
Differentiate Password vs Passphrase
- Passwords are private words or combination of characters that only the user should know
- Passphrases are plain-language phrases from which a virtual password is derived
What are the Two forms of Cryptographic Tokens?
- Synchronous: time-based OTPs
- Asynchronous: challenge-response for authentication
What are the Different Types of Biometric Evaluation Criteria?
- False Reject Rate (Type 1 Error)
- False Accept Rate (Type 2 Error)
- Crossover Error Rate (CER)W
What is a Type 1 Error?
False Negatives
What is a Type 2 Error?
False Positives
What is a CER?
The Crossover Error Rate is the point at which the number of false rejections equals the number of false acceptances
What are the Types of Authorization?
- Each Authenticated User: System verifies an entity and only grants access to that entity
- Members of a Group: System matches authenticated entities to a list of entities and then grants access based on the group’s access rights
- Across Multiple Systems: Central system verifies identity and grants a set of credentials to the entity
What are Firewalls?
- Limit access
- Enforce Security Policy
- Monitor/log activity
What Can Firewalls Not Protect Against?
- Malicious Insiders
- Unforseen Threats
- Connections Not Passing Through
- All Viruses
What are the Major Firewall Categories
- Packet-filtering
- Application Layer Proxies
- Media Access Control Layer
- Hybrids
What are the Three Packet-filtering Firewall Subsets?
- Static Packet Filtering: configuration rules need to be manually set and modified
- Dynamic Packet filtering: reacts and adapts to network traffic
- Stateful Packet Inspection (SPI): Keeps track of each network connection using a state table and that expedites the filtering of those communications
What is an Application Layer Proxy Firewall?
- Device capable of functioning as a firewall and an application layer proxy server
What are the types of Application Layer Proxy Firewalls?
- Proxy Servers
- Reverse Proxies
- Demilitarized Zone (DMZ)
What is a Proxy Server?
Intercepts and accommodates requests for internal servers
What are Reverse Proxies?
Proxies that return queries to users after passing requests to relevant servers
What is a DMZ?
A Demilitarized Zone is an immediate area designed to provide servers and and firewall filtering
Differentate UTMs and NGFWs
Unified Threat Management devices are rudimentary hybrid firewalls, while Next Generation Firewalls have additional features such as deep packet inspections and the ability to decrypt encrypted traffic
Differentate RADIUS and TACACS+
Radius has less protection and support but falls under UDP while TACACS+ has more protection and support but falls under TCP
What is a VPN?
A Virtual Private Network keeps the contents of the network messages hidden from observers who may have traffic access
What are the Three VPN Technologies?
- Hybrid: a combination of trusted and secure VPN implementations
- Secure: uses security protocols to encrypt transmitted traffic
- Trusted (Legacy): uses leased circuits from a service provider with a contractual obligation that no one else is allowed to use said circuits
What is a Host?
Anything with an IP Address because they can be attacked
What are the Elements of Host Hardening?
- Backup
- Restrict Physical Access
- Configure OS with Secure Options
- Minimize Running Applications
- Harden Applications
- Download and Patches
- Manage Users and Groups Securely
- Manage Access Permissions for Users and Groups Securely
- Encrypt Data (if appropriate)
- Add a firewall
- Regularly Read OS log files
- Run vulnerability tests
What are the Types of Vulnerability and Exploit Fixes?
- Work-arounds: manual, expensive, and error-prone
- Patches: small programs that fix vulnerabilities, easy to download and install
- Service Packs
- Version Upgrades
What are the Problems with Patching?
- Must fine OS System Patches
- Clients get overwhelmed with number of patches
- costs time and labor
- Priorities might lead to some patches being left out
- Risky if untested
What is a Super User Account?
Account has access to everything, present in all OS. Should only be used when needed
What is Hacking Root?
Taking over the super user account
What are Permissions?
Specify what a user/group can do to files and directories
What is Inheritable Permission?
A directory receives the permissions of the parent directory
What are the Steps of Vulnerability Testing?
- Run Software Against Hosts to be Tested
- Interpret Reports
- Fix Problems
What are the Four Main Policies for Sensitive Data?
- Limit what sensitive data can be stores on all mobile devices
- Require data encryption
- Protect notebook with strong password
- Audit 2 previous policies
What are the Benefits of Centralized PC Security Management?
- Allows One Knowledgeable User to Manage Security
- Reduces Cost through Automations
What is NAC?
A Network Access Control checks connecting parties before allowing connection
What are the stages of NAC?
- Initial Health Check
- Ongoing Traffic monitoring (not always done)
What are the Advantages of GPOs?
- Consistency
- Reduced Administrative Costs
- Compliance
- Control
