Domain 2 - Security Operations Flashcards
What is a baseline?
A detailed configuration standard that includes specific security settings.
Some examples of Security Guidelines?
- Method for selecting a strong password.
- criteria for evaluating new security technology
- Suggest training curricula for staff.
What is a standard?
A formal, documented requirement that set uniform criteria for a specific technology, configuration, nomenclature, or method.
What helps organizations help maintain consistency in the way security risks are addressed?
Standards, baselines, procedures, and even guidelines.
What is a procedure?
Step-by-step instructions for performing a specific task or set of tasks.
What are the typical components of a procedure?
Purpose Applicability Steps Figures Decision Points
What is release management?
A software engineering discipline that controls the release of applications, updates, and patches to the production environment.
What is the goal of release management?
To provide assurance that only tested and approved application code is promoted to production or distributed for use.
Code Signing?
Assists users in validating that the application was issued by a trust source.
Typically used for web apps running Java or ActiveX
Smoke Tested?
High-level, scripted testing of the major application components and interfaces to validate the integrity of the application before making it available.
Systems Assurance?
Process of validating that existing security controls are configured and functioning as expected.
Change Control?
Process adopted by an organization to ensure that all changes to system and application software are subject to the appropriate level of management control.
Change Control Process?
Request Submission Recording Analysis/Impact Assessment Decision Making and Prioritization Approval Status Tracking
CM
CONFIGURATION MANAGEMENT
Discipline that seeks to manage configuration changes so that they are appropriately approved and documented.
“Technical and Administrative’ Process
Typical Steps in the configuration management process.
Change Request Approval Documentation Testing Implementation Reporting
Four Operational Aspects of CM
Identification
Control
Accounting
Auditing
CMBD
CONFIGURATION MANAGEMENT DATABASE
Holds information about the structure of the system.
CI
CONFIGURATION ITEM
Component of each system listed in the CMBD using a name, number, and version ID.
Security Impact Assessment
Analysis conducted by qualified staff within an organization to determine the extent to which changes to the information system affect the security posture of the system.
Interoperability
Describe the extent to which systems and devices can exchange data and interpret that shared data.
Syntactical Interoperability
Two or more systems that are capable of communicating and exchanging data.
Patch Management Process
- Acquisition - Find Patch
- Testing - Test Patch before installation
- Approval - Approve for deployment
- Packaging - Package or configure for OS.
- Deployment
- Verification
SSCP Domains
Access Controls Analysis and Monitoring Cryptography Malicious Code Networks & Telecom Risk, Response, & Recovery Security operations and administration
BMS
BALANCED MAGNETIC STRIP
Device that uses a magnetic strip to determine if an alarm signal is initiated.
PIR
PASSIVE INFRARED SENSORS
Common interior intrusion detection sensors.
ex. Occ Sensor
Electric Locks vs Electric Strikes
Electric Locks use the doors physical locks.
Electric Strikes - bolts remains the same, but strike is changed.
Anti-Passback
Strategy where a person must present a credential to enter an area and again to leave.
‘Mantrap”
When a person opens a door, and for the next door to open, the one just enter must securely close.
Rim Lock
Lock (or latch) typically mounted on the surface of a door.
Ex - dead bolt
Mortise Lock
Lock (or latch) that is recessed into the edge of a door rather than on the surface.
Ex - Handle + Lock in single package.
Locking Cylinders
Pin Tumbler cylinder is composed of circular pin tumblers that fit into matching circular holes on two internal parts of the lock.
Cipher Lock
Controlled by a mechanical key pad.
Think of front door handle with PIN pad on it.
Vaults - Class M
One 1/4 hour
Vaults - Class 1
One 1/2 hour
Vaults - Class 2
One hour
Vaults - Class 3
Two hours
Classified Container
Reinforced Filing Cabinet that can store proprietary and sensitive information.
Cable Plant Management
Design, Documentation, and management of layer 1 in the OSI model, the Physical Layer.
MTBF
MEAN TIME BEFORE FAILURE
Two-Person Rule
Strategy where two people must be in an area together, making it impossible for a person to be in the area alone.
Two main categories of smoke detectors
- Optical (Photoelectric)
2. Physical (Ionization)
Three Types of Fire Detectors
- Flame Detectors
- Smoke Detectors
- Heat Detectors
Two Types of Flame Detectors
- IR
2. UV
Four Groups of Sprinkler Systems
- Wet Systems - Constant supply of water
- Dry Systems - Releases when value is stimulated by excess heat.
- Pre-Action - No water until detectors in the area are activated. Removes ‘False Alarms’.
- Deluge - Same as pre-action, but all sprinkler heads are in the open position.
2 Types of Gas Suppression
- Aero-K: Uses aerosol of potassium
2. FM-200: Colorless, liquefied compressed gas.
6 Aspects in the Change Control Policy Document
- Request Submission
- Recording
- Analysis/Impact Assessment
- Decision Making & Prioritization
- Approval
- Status Tracking
Operational Aspects of CM?
Identification, Control, Accounting, Auditing
Systems Certification Process?
Method of validating adherence to security requirements.
Dual Control
Antifraud measure that requires two people to complete a transaction.
Waterfall Model
Development method that follows a linear sequence of steps.
What two things are used to accomplish non-repudiation?
Digital Signatures
Public Key Infrastructure
What are the elements that make up IS risks?
Threat, Vulnerability, Impact
Risk = Threat + Vulnerability + Impact
Remote Attestation
Form of integrity protection that makes use of a hashed copy of hardware and software configuration to verify that configurations have not been altered.
4 Tenets of the Code of Ethics
- Protect Society, commonwealth, and infrastructure
- Act honorably
- Provide Diligent service to principals
- Advance/Protect Profession
Confidentiality
Property of information in which it is only made available to those who have a legitimate need to know.
Integrity
Property of information whereby it is recorded, used, and maintained in a way that ensures its accuracy.
RAID
REDUNDANT ARRAY OF INDEPENDENT DISKS
ex. Controllers, UPS, Backup and recovery
Non-repudiation
Service that ensures the sender cannot deny a message was sent and the integrity of the message is intact.
(ISC)2 Code of Ethics
- Protect Society, commonwealth, and infrastructure
- Act honorably, honestly, justly, responsibly, and legally. 3. Provide diligent and competent service to principals 4. Advance and protect the profession.
Donn Parker’s 5 Ethical Principles
- Informed Consent
- Higher ethic in the worst case
- Change of Scale Test
- Owner’s conservation of ownership
- , User’s conservation of ownership
C-I-A Triad
Confidentiality
Integrity
Availability
Confidentiality
Property of information in which it is only made available to those who have a legitimate need to know.
Methods for Maintaining a level of Confidentiality
Authorization
Identity
Access Management Encryption and Disclosure controls
DLP
Data Leakage Prevention
Integrity
Property of information whereby it is recorded, used, and maintained in a way that ensures it’s completeness, accuracy, internal consistency, and usefulness for a stated purpose.
Systems Integrity
Maintenance of a known good configuration and expected operational function.
Sarbanes-Oxley Act of 200
Mandates certain controls over the integrity of financial reporting.
SLA
Service Level Agreement
Specify percentage of uptime as well as support procedures and communication for planned outages.
RTO
Recovery Time Objectives Specify the acceptable duration of an unplanned outage due to catastrophic system non-availability.
Non-repudiation
Service that ensures the sender cannot deny a message was sent and the integrity of the message is intact.
Security Architecture
The practice of designing a framework for the structure and function of information security systems and practices in the organization.
Essential Best Practices Include:
Defense-in-depth Risk-based controls Least Privilege Authorization Accountability Separation of Duties
Calculate Risk Equation
IMPACT + VULNERABILITY + THREAT = RISK
LUA
“Least User Access “
“Least Privilege”
Difference Categories of Controls
- Management - Controls concerning risk (Policy and Procedures)
- Technical - Executed in hardware,software, and firmware.
- Operational - Primarily implemented and executed by people.
NIST SP 800-88
NIST Matrix for Determining Requirements for Clearing and Sanitizing Media
Oersteds
Unit of measurement for the intensity of the magnetic energy a disk or tape can store.
Degaussing
A technique of erasing data on disk or tape that ensures that there is insufficient magnetic remanances to reconstruct data.
IRM
Information Rights Management
Functions to assign specific properties to an object such as how long the object may exist, what users can access it, and if any notifications should be sent if any changes occur.
Data Scrubbing
aka Data Sanitization
Obfuscate sensitive data in such a way that the actual data values cannot be deduced or derived from the sanitized data itself.
DeDupication
Process that scans the entire collection of information looking for similar chucks of data that can be consolidated.
ITAM
IT Asset Management
Entails collecting inventory, financial, and contractual data to manage the IT Asset throughout its life cycle.
Session Management
Includes timing out inactive sessions, deleting session information after timeout, not passing credentials in URL strings, and using salted hashes to protect session IDs.
CSRF
Cross Site Request Forgery
Forces a logon victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other authentication information, to a vulnerable web app. Allows attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Missing Function Level Access Control
While most web apps verify function-level access rights before making that functionality visible in the UI, apps need to perform the same AC checks on the server when each function is accessed. If not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
Insecure Direct Object References
Direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Attacker can manipulate these reference to access unauthorized data.
XSS
Cross Site Scripting
Flaws that occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. Allows attackers to execute script in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.
Injection
SQl, OS, and LDAP Injections, occur when untrusted data is sent to an interpreter as part of a command or query. Attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
OWASP Top 10
- Injection
- Broken Authentication & Session Management
- XSS - Cross Site Scripting
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level AC
- CSRF (Cross Site Request Forgery)
- Using Components with Known Vulnerabilities
- Un-validated Redirects and Forwards
OWASP
Open Web Application Security Project
Free, available listing of the top vulnerabilities found in web applications.
Agile
Example of Iterative Development Model.
Relies on feedback from application users and development teams as their primary control mechanism.
RAD
Rapid Application Development
Leverage modern development environments that make it possible to quickly build UI components as requirements are gathered.
PROS? Quick and typically catches issues early.
CONS? Can suffer from ‘Scope Creep’, as new requirements are continually added and teams lose sight of the end goal.
Spiral Model
Similar to the Waterfall Development Cycle, but adds a repeated PDCA (Plan-Do-Check-Act) sequence at the end of each stage.
What phase is Web App design is the Software programming completed?
Implementation
Who participates in the design phase of a Web App?
Security Architect or administrator.
The general designed document, once refined to produce specifications for the….
Detailed design.
Where the design may first be laid out?
General Design Document
“Who signs off the ‘Requirements Gathering and Analysis”
Project Sponsor and stakeholders
The Waterfall Model
6 Steps for developmental software applications as safely and securely as possible.
- Requirement Gathering and Analysis
- System Design
- Implementation
- Integration
- Deployment
- Maintenance
UML
Unified Modeling Language
Documentation of the sequences of actions called uses cases.
Authorization Official or Approver
Senior executive or manager with the authority to assume full responsibility for the system covered in the system security plan.
Security Officer
Responsible for coordinating development, review, and acceptance of security plans and for IDENTIFICATION, IMPLEMENTATION, ADMINISTRATION, and ASSESSMENT.
Information Owner
Has overall authority for the information stored, processed, or transmitted by the system. Responsible for specifying policies for appropriate use of information and security requirements for protecting information in the system.
System Owner
Responsible for decisions regarding system procurement or development, implementation and integration, and operation and ongoing maintenance.
System Security Plan
Comprehensive document that details the security requirements for a specific system, the controls established to meet those requirements, and the responsibilities and expected behaviors of those administering and accessing the system.
AC (Security Control)
Access Control
Technical
AT (Security Control)
Awareness Training
Operational
AU (Security Control)
Audit and Accountability
Technical
CA (Security Control)
Security Assessment and Authorization
Management
CM (Security Control)
Configuration Management
Operational
CP (Security Control)
Contingency Planning
Operational
IA (Security Control)
Identification and Authentication
Technical
IR (Security Control)
Incident Response
Operational
MA (Security Control)
Maintenance
Operational
MP (Security Control)
Media Protection
Operational
PE (Security Control)
Physical & Environmental Protection
Operational
PL (Security Control)
Planning
Management
PM (Security Control)
Project Management
Management
PS (Security Control)
Personnel Security
Operational
RA (Security Control)
Risk Assessment
Management
SA (Security Control)
System and Services Acquisition
Management
SC (Security Control)
System and Communications Protection
Technical
SI (Security Control)
System and Information Integrity
Operational
Directive (Controls)
Designed to specify acceptable rules of behavior within an organization.
Deterrent (Controls)
Designed to discourage people from violating security directives.
Preventive (Controls)
Prevent a security incident or information breach.
Compensating (Control)
Implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level.
Detective (Control)
Designed to signal a warning when a security control has been breached.
Corrective (Control)
Implement to remedy circumstance, mitigate damage, or restore controls.
Recovery (Control)
Implemented to restore conditions to normal after a security incident.
System Security Plan
Comprehensive document that details the security requirements for a specific system, the controls established to meet those requirements, and the responsibilities and expected behaviors of those administering and accessing the system.
System Owner
Responsible for decisions regarding system procurement or development, implementation and integration, and operation and ongoing maintenance.
Information Owner
Has overall authority for the information stored, processed, or transmitted by the system. Responsible for specifying policies for appropriate use of information and security requirements for protecting information in the system.
Security Officer
Responsible for coordinating development, review, and acceptance of security plans and for IDENTIFICATION, IMPLEMENTATION, ADMINISTRATION, and ASSESSMENT.
Authorizing Official or Approver
Senior executive or manager with the authority to assume full responsibility for the system covered in the system security plan.
