D7: Security Operations Flashcards

1
Q

Incident Scene

A
  • ID the scene
  • Protect the environment
  • ID evidence and potential sources of evidence
  • Collect evidence - hash +
  • Minimize the degree of contamination

Locard’s Exchange Principle - perps leave something behind

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Evidence Types

A
  1. Sufficient: persuasive enough to convince one of its validity
  2. Reliable: consistent with fact, evidence has not been tampered with or modified
  3. Permissible: lawful obtaining of evidence, avoid; unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
  4. Preserved and Identifiable: collection; reconstruction

Identification: labeling, recording serial number, etc.

Evidence must be preserved and identifiable

*Collection, documentation, classification, comparison, reconstruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Evidence Lifecycle

A
  1. Discovery
  2. Protection
  3. Recording
  4. Collection and Identification
  5. Analysis
  6. Storage, preservation, transportation
  7. Present in Court
  8. Return to Owner

Witnesses that evidence are trustworthy - description of procedures, normal business method collections, error precaution and correction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Best Evidence

A
  1. Primary Evidence - is used at trial because it is the most reliable.
    - original documents are used to document things such as contracts
    - NO COPIES!!!!
    - Oral is not the best evidence though it may provide interpretation of documents
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Secondary Evidence

A
  • Not as strong as Primary
  • it is not permitted if the Best Evidence is available
  • Oral evidence (like witness testimony)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Direct Evidence

A
  • Direct evidence can prove a fact by itself and does not need any type of backup evidence.
  • Does NOT need other evidence to substantiate.
  • Testimony from a witness - one of their 5 senses.
  • Oral evidence is a type of secondary evidence so the case can’t simply stand on this alone.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Conclusive Evidence

A
  • irrefutable and cannot be contradicted

- requires no other corroboration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Circumstantial Evidence

A
  • used to help assume another fact

- cannot stand on it’s own to directly prove a fact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Corroborative Evidence

A
  • supports or substantiates other evidence presented in a case
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Hearsay Evidence

A
  • something a witness hears another one say.
  • business records are hearsay and all that is printed or displayed
  • EXCEPTION: audit trails and business records when the documents are created in normal course of business
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Interviewing

A

Gather facts and determine the substance of the case

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Interrogation

A

Evidence retrieval method, ultimately obtain a confession

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The Process / Due Process

A

Involves:

  • prep of questions and topics
  • puts witness at ease
  • summarize information or interview/interrogation plan

Other Notes:

  • have one person as lead and 1-2 others involved as well
  • never interrogate or interview alone
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Opinion Rule

A

Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case

*context - Federal Rules of Evidence (FRE), a court will permit a person who isn’t testifying as an expert to testify in the form of an opinion if it’s both rationally based on their perception and helps to explain the witness’s testimony

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Expert Witnesses

A

Used to educate the jury and can be used as evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Six Principles for Digital Evidence Technicians

A
  1. When dealing with digital evidence, all general forensic and procedural principles must be applied
  2. Upon seizing digital evidence, actions taken should not change the evidence
  3. When it is necessary for a person to access original digital evidence, that person should be trained for that purpose.
  4. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review.
  5. An individual is responsible for all actions taken with respect to digital evidence while the evidence is in their possession
  6. Any agency responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Media Analysis

A

Identification and extraction of information from storage media. May include:

  • Magnetic Media - hard disks, tapes
  • Optical Media - CDs, DVDs, Blu-ray discs
  • Memory - RAM, solid state storage

Techniques used for media analysis may include:

  • recovery of deleted files from unallocated sectors of the physical disk
  • the live analysis of storage media connected to a computer system (esp. useful when examining encrypted media)
  • the static analysis of forensic images of storage media.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Software Analysis

A

Forensic review of applications or the activity that takes place within a running application.

May need to review and interpret log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

When malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs or other vulns.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Hardware / Embedded Device Analysis

A

Forensic analysts often must review the contents of hardware and embedded devices.

This may include a review of personal computers & smartphones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Admissible Evidence

A
  • The evidence must be relevant to determining a fact, and the fact must be material/related to the case
  • Evidence must have been obtained legally aka competent
  • Evidence that results from an illegal search would be inadmissible because it is not competent.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Five Rules of Evidence

A
  1. Be authentic - evidence ties back to the scene
  2. Be accurate - maintain authenticity and veracity
  3. Be complete - all evidence collection, for and against view
  4. Be convincing - clear & easy to understand for jury
  5. be admissible - be able to be used in court
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Forensic Disk Controller

A

Write blocking - intercepts write commands sent to the device and prevents them from modifying data on the device

Return data requested by a read operation

Return access-significant information from device

Reporting errors from device to forensic device.

LOGS TAKEN IN NORMAL COURSE OF BIZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

MOM

A

Means, opportunity and motive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Victimology

A

Why certain people are victims of a crime, and how lifestyle affects the chances that a certain person will fall victim to a crime investigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Investigation Types

A

Operational
Criminal
Civil
eDiscovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Slack Space

A

Slack space on a disk should be inspected for hidden data and should be included in Disk Image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

3 Branches of Law

A

Legislative: writing laws (statutory laws)
Executive: enforces laws (administrative laws)
Judicial: Interpret laws (common laws from court decisions)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Criminal Law

A

Individuals that violate government law

Punishment mostly imprisonment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Civil Law

A

Wrongs against individual or organization that result in a damage or loss.

Punishment can include financial penalties

Tort Law (I’ll Sue You!) Jury will decide liability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Administrative/Regulatory Law

A

How the industries, organizations and officers have to act.

Wrongs can be penalized with imprisonment or financial penalties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Uniform Computer Information Transactions Act (UCITA)

A

Federal Law that provides a common framework for the conduct of computer-related business transactions.

UCITA contains provisions that address software licensing

The terms of UCITA give legal backing to the previously questionable practivies of shrink–wrap licensing by giving them status as legally binding contracts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Uniform Computer Information Transactions Act (UCITA)

A

Federal Law that provides a common framework for the conduct of computer-related business transactions.

UCITA contains provisions that address software licensing

The terms of UCITA give legal backing to the previously questionable practices of shrink–wrap licensing by giving them status as legally binding contracts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

3 Types of Harm of Computer Crimes

A
  • Unauthorized intrusion
  • Unauthorized alteration or destruction
  • Malicious Code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Admissible evidence

A

relevant, sufficient, reliable, does not have to be tangible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Enticement

A

the legal action of luring an intruder, like in a honeypot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Entrapment

A

the illegal act of inducing a crime, the individual had no intent of committing the crime at first

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Federal Sentencing Guidelines

A

provides judges and courts procedures on the prevention, detection and reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Security Incident and Event Management (SIEM)

A

Automating much of the routine work of log review

Provides real-time analysis of events occurring on systems throughout an organization but don’t necessarily scan outgoing traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Intrusion

A

Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Intrusion Detection

A

A specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Intrusion Detection System (IDS)

A

Automates the inspection of logs and real-time
system events to detect intrusion attempts and system failures.

An effective method of detecting many DoS and DDoS attacks

Can recognize external attacks e.g. from the internet or attacks that spread internally like a malicious worm.

Detections will trigger alarms and alerts, and sometimes will modify the environment to stop an attack

IDS is part of defense-in-depth security plan - it will work with, and complement other security mechs like firewalls, but it does not replace them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Intrusion Prevention System IPS

A

Intrusion prevention system includes all capabilities of an IDS, but can also take additional steps to stop or prevent intrusions - admins can disable the features of an IPS, and it becomes an IDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Data Loss Prevention (DLP)

A

Data loss prevention systems attempt to detect and block data exfiltration attempts.

The systems have the capability of scanning data looking for keywords and data patterns.

Can look for sensitive information stored on hard drives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Network-based DLP

A

Scans all outgoing data looking for spec ific data.

Admin would place it on the edge of the negative to scan all data leaving the organization

If a user sends out a file containing restricted data, the DLP system will detect and prevent it from leaving the organization

The DLP system will send an alert such as an email to an administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Endpoint-based DLP

A

Can scan files stored on a system as well as files sent to external devices such as printers

An organization endpoint-based DLP can prevent users from copying sensitive data to USNB flash drives or sending sensitive data to a printer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

3 states of information

A

Data at rest (storage)

Data in transit (the network)

Data being processed (must be decrypted) / in use / end point

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Configuration Item (CI)

A

Component whose state is recorded

Version: recorded state of the CI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Configuration

A

Collection of component CI’s that make another CI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Building

A

Assembling a version of a CI using component CI’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Building list

A

Set of versions of component CI’s used to build a CI software library CI software library

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

CI Software Library

A

Controlled area only accessible for approved users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Recovery Procedures

A

System should restart in secure mode

Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Fault-tolerant

A

Continues to function despite failure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Fail Safe System

A

Program execution is terminated and system protected from compromise when hardware or software failure DOORS usually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Fail Closed/Secure

A

The most conservative from a security perspective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Fail Open

A

????

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Fail Hard - BSOD

A

Human to see why it failed??

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Fail Soft or Resilient System

A

Reboot, selected, non-critical processing is terminated when failure occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Failover

A

Switches to hot backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Fail Safe vs. Fail Secure

A

FAIL SAFE: doors UNLOCK

FAIL SECURE: doors LOCK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Trusted Path

A

Protects data between users and a security component

Channel established with strict standards to allow necessary communication to occur without exporing the TCB to security vulnerabilities

A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB intechange

ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Security Events vs. Security Incidents vs. Security Intrusion

A

Events: anything that happens; can be documented verified and analyzed.

Incidents: event(s) that adversely impact the ability of an organization to do business. A suspected attack

Intrusion: evidence attacker attempted or gained access to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Incident Response Lifecycle

A

Official:

Detection, Response, Mitigation, Reporting, Recovery, Remediation, Lessons Learned

Unofficial:

Response Capability: policy, procedures, a team
Incident Response and Handling: triage, investigation, containment and analysis tracking
Recovery: Recovery or repair
Debriefing / Feedback: External Communications
Mitigation: limit the effect or scope of an incident

64
Q

Root Cause Analysis (RCA)

A

COME BACK TO AFTER READING

65
Q

HIDS

A

Host Based IDS

Monitors activity on a single computer, including process calls and information recorded in firewall logs.

It can often examine events in more detail than NIDS can, and it can pinpoint specific files compromised in an attack.

It can also track processes employed by the attacker

A benefit of HIDS over NIDS is that HIDS can detect anomalies on the host system that NIDS cannot detect

66
Q

NIDS

A

Network-IDS

Monitors and evaluates network activity to detect attacks or event anomalies

It cannot monitor the content of encrypted traffic but can monitor other packet details

A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

67
Q

Full Backup

A

All files, archive bit and modify bit are cleared

Pro: only previous day needed for full restore
Con: Time consuming

68
Q

Incremental Backup

A

Only modifies files and archive bit is cleared

Pro: Least time and space
Con: must first restore full and then all incremental backups > makes it less reliable because it depends on more components

69
Q

Differential Backup

A

Only modifies files, and does not clear archive bit

Pro: Full and only last diff needed, intermediate time between full and diff

70
Q

Redundant Servers

A

Applies raid 1 mirroring concepts to servers

On error servers can do a failover > aka server fault tolerance

71
Q

Server Clustering

A

Group of independent servers which are managed as a single system

All servers are online and take part in processing service requests

Individual computing devices on a cluster vs. a grid system — cluster devices all share the same OS and application software but grid devices can have different OSs while working on same problem

72
Q

Tape Rotation Schemes

A

COME BACK TO AFTER READING

73
Q

RAIT

A

Robotic mechanisms to transfer tapes between storage and drive mechanisms

74
Q

Mutual Aid Agreements

A

AKA Reciprocal agreement

Arrangement with another similar corporation to take over the processes

Pro: cheap

Con: must be exactly the same, is there enough capability, only for short term and what if disaster affects both corporations? Not enforceable

75
Q

DR - Subscription Services

A

Third party, subscription servers provide alternate backups and processing facilities

Most common of implementations

76
Q

Redundant

A

Mirrored Site, potential zero down time

77
Q

Hot Site - Internal/External

A

Fully configured computer facility

All applications are installed, up-to-date and mirror of the production system

Extremely urgent critical transaction processing

Pro: 24/7 availability and exclusive use are assured - short and long term
Con: extra admin overhead, costly, security controls needs to be installed at the remote facility too

Exclusive to one company hours to be up??

78
Q

Warm Site

A

Cross between hot and cold site

The computer facility is available but the applications may not be installed or need to be configured.

External connections and other data elements that take long time to order are present

Workstations have to be delivered and data has be restored

Pro: Less costly, more choice of location, less admin resources required
Con: it will take some time start production processing Nonexclusive and 12 hours to be up

79
Q

Cold Site

A

Least ready but most commonly used

Has no hardware installed, only power and HVAC

Pro: Cost, ease of location choice, non-exclusive
Con: very lengthy time of restoration, false sense of security but better than nothing

80
Q

Service Bureau

A

Contract to fully backup processing services

Pro: quick response and availability, testing is possible
Con: expense and it is more of a short time option

81
Q

Multiple Centers/Dual Sites

A

Processing is spread over several computer centers

Can be managed by the same corporation (in house) or with another organization (reciprocal agreement)

Pro: costs, multiple sites will chare resources and support
Con: a major disaster could affect both sites, multiple configurations have to be administered

82
Q

Rolling/Mobile Sites

A

Mobile homes or HVAC trucks

Could be considered a cold site

83
Q

In-House or External

A

Supply of hardware replacements

Stock of hardware either onsite or with a vendor

May be acceptable for warm site but not for hot site

84
Q

Prefabricated building

A

A very cold site

85
Q

RAID Levels

A

RAID 0: Striped - one large disk out of several; improved performance but no fault tolerance
RAID 1: Mirrored - drives, fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed
RAID 2: not used commercially; Hammering Code Parity/error
RAID 3: Striped on byte level - extra parity drive; improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives
RAID 4: same as RAID3, but striped on block level; 3 or more drives
RAID 5: Striped on block level, parity distributed over all drives; requires all drives but one to be present to operate hot-swappable. Interleave parity, recovery control; 3 or more drives
RAID 6: Dual Parity, parity distributed over all drives - requires all drives but two to be present to operate hot-swappable
RAID 7: is the same as RAID 5 but all drives act as one single virtual disk

86
Q

Backup Storage Media

A

Tape: sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries

Disk: fast read/write, less robust than tape

Optical Drive: CD/DVD. Inexpensive

Solid State: USB drive, security issues, protected by AES

MTTF - mean time to failure
MTTR - mean time to repair
MTBF - mean time between failures (useful life) = MTTF + MTTR
JBOD - most basic type of storage

87
Q

Electronic Vaulting

A

Transfer of backup data to an offsite storage location via communication lines

88
Q

Remote Journaling

A

Parallel processing of transactions to an alternative site via communication lines

89
Q

Database shadowing

A

Live processing of remote journaling and creating duplicates of the database sets to multiple servers

90
Q

Object reuse

A

Use again after initial use

91
Q

Data remanence

A

Remaining data after erasure; format magnetic media 7 times (orange book)

92
Q

Clearing

A

Overwriting media to be reused

93
Q

Purging

A

Degaussing or overwriting to be removed

94
Q

Destruction

A

Complete destruction, preferably by burning

95
Q

Disaster Recovery End Goal

A

Restore normal business operations

Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information

Goal: provide organized way for decision making, reduce confusion and deal with crisis

Planning and development must occur before the disaster

BIA has already been completed prior - now it is time to protect

96
Q

Disaster

A

Any event, natural or manmade, that can disrupt normal IT operations

The disaster is not over until all operations have been returned to their normal location and function

It will be officially over when the data has been verified at the primary site, as accurate

97
Q

Recovery Team

A

Mandated to implement recover after the declaration of the disaster

98
Q

Salvage Team

A

Goes back to the primary site to normal processing environmental conditions

Clean, repair, salvage

Can declare when primary site is available again

99
Q

Normal Operations Resume Plan

A

Has all procedures on how the company will return processing from the alternate site

100
Q

Other Recovery Issues

A

Interfacing with other groups: everyone outside the corporation

Employee Relations - responsibility towards employees and families

Fraud and Crime: like vandalism, looting and people grabbing the opportunity

Financial reimbursement?? / Media Relations
- find someone to run it

101
Q

Documenting the Disaster Recovery Plan

A
  • activation and recover procedures
  • plan management
  • HR involvement
  • costs
  • required documentation
  • internal / external communications
  • detailed plans by teams

**get communications up first, then most critical business functions

102
Q

Desk Check

A

review plan contents

103
Q

Table-Top Exercise

A

Members of the disaster recovery team gather in a large conference room and role-play a disaster scenario

104
Q

Simulation tests

A

More comprehensive and may impact one or more non-critical business units of the organization, all support personnel meet in a practice room

105
Q

Parallel tests

A

Involve relocating personnel to the alternate site and commencing operations there.

Critical systems are run at an alternate site, main site open also

106
Q

Full-interruption tests

A

Involve relocating personnel to the alternate site and shutting down operations at the primary site

107
Q

Business Continuity Plan (BCP)

A

Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation

108
Q

BCP (proactive goals)

A

Business Continuity - enduring the business can continue in an emergency, 1st business organization analysis

Focus on Business Processes

  1. Scope and Plan Initiation - consider amount of work required, resources required, management practice
  2. BIA - helps understand impact of disruptive processes
  3. Business Continuity Plan development
    - Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and continuity planning phases of BCP development)
  4. Plan approval and implementation
    - management approval
    - create awareness

**Update plan as needed, at least once a year testing

109
Q

Disaster Recovery (reactive goals)

A

Recover as quickly as possible

  • Heavy IT focus
  • Allows the execution of the BCP
  • Needs planning
  • Needs testing

CRITICAL, URGENT, IMPORTANT

110
Q

Business Continuity Plans development

A
  • Defining the continuity strategy
  • Computing: strategy to preserve the elements of hardware/software/communication lines/applications/data
  • Facilities: use of main buildings or any remote facilities
  • People: operators, management, technical support persons
  • Supplies and equipment: paper, forms, HVAC
  • Documenting the continuity strategy
111
Q

BCP Committee

A

Senior Staff: ultimate responsibility, responsible for die care, due diligence

Various business units: identify and prioritize time critical systems

Information Systems

Security Administrator

There should be representatives from all departments who will execute the plan

112
Q

CCTV

A

Multiplexer allows multiple camera screens shown over one cable on a monitor

  • via coax cables (hence closed)
  • attacks: replayed (video images)
  • fixed mounting vs. PTZ Pan Tilt Zoom accunicator system (detects movements on screen and alerts guards)
  • Recording (for later review) = detective control
  • CCTV enables you to compare the audit trails and access logs with visual recording
113
Q

Lightening

A

Glare Protection: against blinding by lights

Continuous Lightning: evenly distributed lightning

Controlled Lightning: no bleeding over no blinding

Standby lightning - timers

Responsive Areas Illumination: IDS detects activities and turns on lightening

NIST: for critical areas the area should be illuminated 8 feet in height with 2 foot candle power

114
Q

Alarms

A

Local Alarm: audible alarm for at least 4000 feet

Central Stations: less than 10mins travel time for e.g. a private security firm

Proprietary systems: owned and operated by the customer. System provides many of the features in-house

Auxiliary Station Systems: on alarm ring out to local fire or police

Line supervision check: if no tampering is done with the alarm wires

Power Supplies: alarm systems need separate circuitry and backup power

115
Q

Intrusion Detection (Physical and Motion)

A

Physical Parameter Detection

  • Electromechanical - detect a break or change in circuit magnets pulled loose, wire doors, pressure pads
  • Photoelectric - light beams interrupted (as in a store entrance)
  • Passive infrared - detects changes in temperature
  • Acoustical detection - microphones, vibrations sensors

Motion Detection

  • Wave Pattern Motion Detectors - detects motions
  • Proximity/Capacitance detector - magnetic fields detects presence around an object
116
Q

Locks

A

Warded Lock - hanging lock with a key

Tumbler lock - cylinder slot

Combination lock - 3 digits with wheels

Cipher lock - electrical

Device lock - bolt down hardware

Preset - ordinary door lock

Programmable - combination or electrical lock

Raking - circumvent a pin tumbler lock

117
Q

Audit Trails

A

Should Include:

  • Date and time stamps
  • successful or unsuccessful attempt
  • where the access was granted
  • who attempted the access
  • who modified access privileges at supervisor level
118
Q

Security Access Cards

A

Photo ID Card: Dumb cards. digitally coded cards

  • swipe cards
  • smart cards

Wireless proximity cards

  • user activated
  • system sensing
  • passive device, no battery, uses power of the field
  • field powered device: active electronics, transmitter but gets power from the surrounding field from the reader
  • transponders: both card and receiver holds power, transmitter and electronics
119
Q

Trusted Recovery

A

Ensures that the security is not breached when a system crash or failure occurs

Only required for B3 or A1 level systems

120
Q

Failure Preparation

A

Backup critical information thus enabling data recovery

121
Q

System Recovery after a System Crash

A
  1. Reboot system in single user mode or recovery console so no user access is enabled
  2. Recover all file systems that were active during failure
  3. Restoring missing or damaged files
  4. Recovering the required security characteristic, such as file security labels
  5. Checking security-critical files such as system password file
122
Q

Common Criteria Hierarchal recovery types

A

Manual: system administrator intervention is required to return the system to a secure state

Automatic: recovery to a secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures)

Automatic without Undue Loss: higher level of recovery defining prevention against the undue loss of protected objects

Function: system can restore functional processes automatically

123
Q

Types of System Failure

A

System Reboot: system shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources

Emergency restart: When a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments

System Cold Start: when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state

124
Q

Hackers and Crackers

A

Want to verify their skills as intruders

125
Q

Entitlement

A

Refers to the amount of privileges granted to users, typically when first provisioning an account. User entitlement audit can detect when employees have excessive privileges

126
Q

Aggregation

A

Privilege creep, accumulate privileges

127
Q

Hypervisor

A

Software component that manages the virtual components. The hypervisor adds an additional attack surface, so it’s important to ensure it is deployed in a secure state and kept up-to-date with patches, controls access to physical resources

128
Q

Notebook

A

most preferred in a legal investigation is a bound notebook, pages attached to a binding

129
Q

Exigent circumstances

A

Allows officials to seize evidence before its destroyed (police team fall in)

130
Q

Data Haven

A

A country or location that has no laws or poorly enforced laws

131
Q

Chain of Custody

A

Collection, analysis and preservation of data

Forensics uses bit-level copy of the disk

132
Q

Darknet

A

Unused network space that may detect unauthorized activity

133
Q

Pseudo flaw

A

false vulnerability in a system that may attract an attacker

134
Q

Fair Information Practices

A
  • openness
  • collection limitation
  • purpose specification
  • use limitation
  • data quality
  • individual participation
  • security safeguards
  • accountability
135
Q

Noise and Perturbation

A

Inserting bogus information to hope to mislead an attacker

136
Q

First Step of Change Process

A

Management approval

When a question is asked about processes, there must always be management’s approval as First Step

137
Q

Prototyping

A

Customer view taken into account

138
Q

SQL-SUDIGR

A

6 basic SQL commands

Select, Update, Delete, Insert, Grant, Revoke

139
Q

Bind Variables

A

Placeholders for literal values in SQL query being sent to database on a server

140
Q

GANTT and PERT charts

A

????

141
Q

Piggybacking

A

looking over someone’s shoulder to see how someone gets access

142
Q

Data Center Requirements

A
  • Walls from floor to ceiling
  • Floor: concrete slab, 150lbs square feet
  • No windows
  • Air-Conditioning should have own Emergency Power Off (EPO)

Electronic Access Control (EAC): proximity readers, programmable logs or biometric systems

143
Q

Crime Prevention Through Environmental Design (TCPTED)

A

Natural Access Control: guidance of people by doors, fences, bollards, lightening. Security zones are defined.

Natural Surveillance: cameras and guards

Territorial Reinforcements: walls, fences, flags

Target Hardening: focus on logs, cameras, guards

Facility Site: core of the building (e.g. with 6 stores, it’s on the 3rd floor)

144
Q

Hacktivists

A

Combination of hacker and activist, often combining political motivations with the thrill of hacking.

145
Q

Thrill Attack

A

Attacks launched only for the fun of it. Pride, bragging rights, etc.

146
Q

Script Kiddies

A

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them.

The main motivation behind these attacks is the “high” of successfully breaking into a system.

Service Interruption may be the goal.

An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Common to do website defacements.

147
Q

Business Attacks

A

Focus on illegally obtaining an organization’s confidential information. The use of the information gathered during the attack usually causes more damage than the attack itself

148
Q

Financial Attacks

A

Carried out to unlawfully obtain money or services

149
Q

Terrorist Attacks

A

Purpose is to disrupt normal life and instill fear

150
Q

Military or intelligence attack

A

Designed to extract secret information

151
Q

Grudge Attacks

A

Attacks that are carried out to damage an organization or person. The damage could be in the loss of information or information processing capabilities or harm to the organization or person’s reputation.

152
Q

Sabotage

A

A criminal act of destruction or disruption committed against an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.

153
Q

Espionage

A

The malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization

Attackers often commit espionage with the intent of disclosing or selling information to a competitor or other interested organization (i.e. foreign).

Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside of the organization.

Countermeasures against espionage are to strictly control access, to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

154
Q

Integrity Breaches

A

Unauthorized modification of information, violations are not limited to intentional attacks.

Human error, oversight, or ineptitude accounts for many instances.

155
Q

Confidentiality Breaches

A

Theft of sensitive information