CySa+ Study Notes 12 Flashcards
(RTO) is the period following a disaster that an individual IT system may remain offline. This is the amount of time it takes to identify that there is a problem and then perform recovery (ex : restore from backup or switch in an alternative system).
(WRT) represents the time following systems recovery, when there may be added work to reintegrate different systems, test overall functionality, and brief system users on any changes or different working practices so that the business function is again fully supported.
(RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a database is destroyed by cryptomalware, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected.
info
??? is a document showing the results of risk assessments in a comprehensible format. The register may resemble the traffic light grid with columns for impact and likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status. A risk register should be shared between stakeholders (executives, department managers, and senior technicians) so that they understand the risks associated with the workflows that they manage.
Risk Register
??? (1) Business process and assets affected. (2) Personnel involved (data owner, data processors, and additional stakeholders. (3) Reason for the exception. (4) Risk assessment plus compensating controls to mitigate the added risk (additional monitoring or logging activity for instance). (5) Duration of the exception and steps that will be taken to achieve compliance.
When a function or asset is noncompliant, there should be a formal process of exception management to document each case. Usual exception will info this info :
??? aims to identify and scan network ranges and hosts belonging to the target and map out an attack surface. ??? is performed to gather intelligence that can be turned into an attack strategy, or conversely, when used as a defensive tool, to reduce the attack surface and mitigate potential attack vectors.
Enumeration
One semi-passive technique is referred to as low and slow or sparse. This means using probes that are difficult to distinguish from legitimate traffic, and using them infrequently and with a range of source addresses so that the enumeration scanning cannot be identified without causing the victim network’s security software to generate huge numbers of false positives.
There are also fully passive techniques. One is to use a network sniffer to listen to network traffic. The attacker does not make active connections to network ports but analyzes general network chatter to identify the hosts communicating on the network. This method is obviously much slower and returns less comprehensive results than active scanning chosen hosts.
info
??? facilitator led training where staff practice responses to a particular risk scenario.
Tabletop Exercises
Footprinting—These tools map out the layout of a network, typically in terms of IP address usage, routing topology, and DNS namespace (subdomains and hostnames). Footprinting can be performed in active, nonstealthy modes to obtain quick results at the risk of detection or by using slow semi-passive and passive techniques.
Fingerprinting—These tools perform host system detection to map out open ports, OS type and version, file shares, running services and applications, system uptime, and other useful metadata. Fingerprinting can be performed by active, semi-passive, and passive tools.
info
airmon-ng = Enable and disable monitor mode.
airodump-ng—Capture 802.11 frames. Use this output to identify the MAC address of the access point (its Basic Service Set ID) and the MAC address of a victim client device.
aireplay-ng—Inject frames to perform an attack to obtain the authentication credentials for an access point.
aircrack-ng—Extract the authentication key and try to retrieve the plaintext, using a dictionary or brute force attack.
info
Asset criticality might also affect scanning scope, with targeted scans of critical assets being scheduled more often.
default behavior of Nmap is to ping and send a TCP SYN packet to port 443 and a TCP ACK packet to port 80.
If a system processes highly confidential data, it may not be appropriate to configure a credentialed scan, as that will effectively allow the scan administrator privileged access to the host.
info
credentialed scan is given a user account with log-on rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also shows what an insider attack, or one where the attacker has compromised a user account, may be able to achieve.
info
