Domain 4: Security Operations Flashcards
1
Q
Security techniques
Objective 4.1
A
2
Q
Secure baselines
A
• Baseline
- A documented and reviewed specification for system configuration. Serve as basis for secure configurations by only having necessary software installed-all unnecessary software has been removed and unnecessary features disabled
• established baseline
- create system configuration for organization with only vital components included, security controls in place, services and ports disabled, and only secure protocols use utilized
• deploy baseline
- Utilizing baseline configuration to build various systems images from
• maintain baseline
- updating, patching and modifying configuration as organizational needs require
3
Q
Hardening endpoints
A
• servers and workstations
• adhering to baseline security configuration
- disabling a necessary services, ports
- Closing unnecessary port
- removing unused software
- use of secure protocols
- use of application allow list/block list
• patch management
• Regular backups
4
Q
Hardening endpoints (continued)
A
• Anti-virus
- A program specifically designed to detect many forms of malware and prevent them from infecting computers
- The output of a specific ant bars program will vary. Every malicious software is detected, steps should be taken to investigate mitigate as needed.
- anti-malware is a form of antivirus that focuses on polymorphic malware and malware that is delivered by zero day exploits
• Endpoint Detection and Response (EDR)
- and integrated monitoring and collection of endpoint data with continuous monitoring and collection of endpoint data with rule based automated response and analysis capability 
5
Q
Hardening endpoint (continued)
A
• Data Loss Prevention (DLP) solutions
- using a system or application to identify, monitor and protect confidential data within a centralized management framework
- DLP products can send alerts, block users for moving files and quarantine files away from users
6
Q
Hardening endpoints (continued)
A
• full disk encryption (FDE) / self-encrypting drive (SED)
- Full disc encryption, FDE: the process of encrypting all the data on the hard drive used to boot a computer, including the computers, operating system, and permitting access to the data only after successful often authentication with the full disk description product
- Self encrypting drive SED this that uses built-in hardware to encrypt/encrypt data stored on the drive
• file integrity monitoring (FIM)
- software that generates, stores and compares message digest for files to detect changes made to the files
- An unexpected change is detected in a file, the file and is changes should be inspected
- Especially crucial with installation media, as it is possible to install a Trojan taken, and it is benign program. If the file integrity, check fails, the insulation is not what it seems.
7
Q
Network devices
A
• use of encryption were possible on infrastructure devices, such as switches and routers
• use of encrypted protocols network management, consuls, and administrative task
• being able to control what traffic can go where on a network is vital for both the performance and security of the network 
8
Q
Cloud infrastructure
A
• monitor axis through use of a Cloud Access Security Broker (CASB)
• utilize secure protocols
• limit number of unused VM‘s
9
Q
Mobile device management 
A
10
Q
Mobile device management
A
• Mobile device management (MDM)
- mobile devices may contain sensitive information and information needs protection in case of loss/theft
- mobile devices used for both personal and business purposes have additional management concerns
- Application management:
- Determining what applications and applications installation sources will be allowed, often using an application whitelist
- Monitor application behaviors in a secure environment before adding to the whitelist. Even applications from an official App Store can turn out to be malicious.
- Content management:
- ensure mobile devices in environments use company data securely
- Used to label files as being confidential or company-only information, preventing them from being transferred or shared against the DLP guidelines
11
Q
Mobile device management (continued)
A
• Geofencing
- using a devices location to enable or disable software in hardware on the device. Can also be used to trigger events or alerts.
- Maybe used to ensure that sensitive data can only be assessed on site or to disable video/picture taking capabilities in a secure area
• Push notifications services
- Notifications sent by applications on the device to the user, usually to notify/remind them of something applications specific
• Remote wipe
- Ability to remotely insecurely remove all data from a mobile device
- can be used in the event a device is stolen or a source of data theft/leakage is found 
12
Q
Mobile device management (continued)
A
• Screen locks
- A password, pin, pattern or biometric that needs to be entered before a mobile device can be unlocked
- In conjunction with data encryption, this can help secure, sensitive data on mobile devices
- No authentication method is used, anyone who picks up the device has access to the data
• Passwords and PINs
- Passwords and pins rely on complexity to be effective. A short or non-complex pin may be easily brute-forced
• Biometrics
- Typically include fingerprint or face scanning
- Generally more secure than a password- or pin-based lock, though false positives can occur
13
Q
Mobile device and management (continued)
A
• Context-aware authentication
- using data such as the users, location, time, and type of data being access to make a decision if the user trying to authenticate is actually the user
- Rules can be simple or complex to incorporate multiple data points to make a decision
• Containerization
- Running a separate virtual environment on a mobile device
- container can have its own security policies separate from the users device itself 
14
Q
Mobile device management (continued)
A
• Storage segmentation
- Separating out segments of storage to be used for specific purposes by designating different areas of memory for each data type
- Provide a similar functionality to that of containerization, but does not create a separate virtual environment
• Full device encryption (FDE)
- Everything on the device is encrypted, except for the master boot record, resulting in the need for authentication before accessing any data on the device
- insures data will be protected if it advice is loss/stolen 
15
Q
ICS / SCADA
A
• industrial control systems are embedded systems
• Supervisory control and data acquisition systems interface with ICS devices
• typically, part of specialized network known as Operational Technology (OT) network
- separate from typical data network
- Access should be airgapped or heavily monitored
16
Q
Mobile device administration
A
• ownership concerns
• Legal concerns.
• Connectivity
- cellular
- Wi-Fi
- Bluetooth
• Deployment models
- Bring-your-own-device
- Corporate-owned, Personally-enabled (COPE)
- Choose-your-own-device (COYD)
17
Q
Bring-your-own-device
A
• policy where employees are allowed or encouraged to use their personal devices for business purposes. Poses the most security issues.
• things to consider:
- Privacy
- Data ownership
- Support
- On boarding/off boarding
- legal concerns 
18
Q
Choose-your-own-device
A
• policy, where an organization offers a selection of devices for an employee to choose from
• very simple similar to COPE, with all the same issues involved
• Corporate-owned
- Policy where the organization buys and maintains control over a device that the organization chooses
- often referred to as corporate-owned, business only (COBO),as devices are to be used only for business purposes 
19
Q
Applications security
A
20
Q
Input validation and sanitization
A
• the way applications handle input is important to prevent attacks such as SQL injection, directory transversal and cross-site scripting (XSS)
• feels that take a specific type of input can be more easily validated
• example: a phone number field should only except numerical strings up to the length of a phone number and has no reason to be excepting letters or other special characters 
21
Q
Secure cookies
A
• a type of HTTP cookie that have secure attribute set, which limits the scope of the cookie to “secure” channels
• when a cookie has a secure attribute, the user agent will include the cookie in an HTTP request. Only if the request is transmitted over HTTPS
22
Q
Code analysis
A
• Static code analysis
- used to analyze code before it is packaged into your application
- static analysis does not actually execute the code itself
- static analysis can help find certain types of vulnerability such as code injection flaws, and failure to sanitize inputs
• Dynamic code analysis
- testing the code by simulating a real world environment, and attempting to provide it with all possible inputs to determine if there are any undesirable outcomes
- An application may perform in ways the developers did not predict
- to verify that input validation is working, pentesters may use a technique called fuzzing. Fuzzing is an automated process that repeatedly enters random input strings to see if some type of input abuse may be possible.
- fuzzy tools, provide an application with random inputs to test the limits of input validation 
23
Q
Code signing
A
• insure and application has not been modified and confirms the author of an application
• accomplished through hashing file and signing this hash with the developers private key (asymmetric encryption) to provide a certificate-based digital signature
• provides integrity and non-repudiation
24
Q
Asset management
Objective 4.2
A
25
Q
Acquisition and procurement
A
• identifying hardware and software solution to suit the needs of the organization
• purchasing from reputable vendor, using genuine hardware with secure supply chain
• devices will create “paper trail” that can be investigated to determine origin of hardware after receiving device
• Asset tagging
- semi permanent labels for inventory tracking of officially procured devices
- No tag? No network access.
26
Q
Assignment
A
-
Ownership
- Identifying and documenting the individual or office location device is provided for
- Keeping track of the devices we gave you
-
Classification
- Identifying and documenting the role, purpose of a device
27
Q
Asset tracking and monitoring
A
-
Inventory
- List of physical assets acquired by organization
-
Enumeration
- List of network assets on organizations network
- Are they the same? What if there is a difference?
28
Q
Decommissioning
A
- when removing a device from an organizations network, care must be taken that any sensitive data is purged from the device
- How this is accomplished varies by device:
- spinning, disk, magnetic hard drives, for example, should be doused or shredded to ensure no residual data remains
- solid-state drives cannot be deeded. It should be securely erased or shredded.
- Network appliances (routers, switches) should have any configuration data reset and purged
- devices, such as scanners and printers should be evaluated according to manufactures documentation about how best to remove any possible data stored on the device
29
Q
Disposal
A
• Sanitization
- deleting sensitive data from drive
• Destruction
- physically destroying the drive so that it cannot be used
- Example, drill, incinerate, grind up/shred
• Certification
- Ensuring drive was delivered to technician to destroy drive
- technician marks time/date of drive destruction
• Data Retention
- Before disposal, check with regulations and policies on data retention requirements
30
Q
Wireless security
A
31
Q
Cryptographic protocols
A
-
WEP (Wired Equivalent Privacy - Great name, terrible protection)
- found to be crypto graphically insecure
- deprecated
-
WPA (Wi-Fi Protected Access) and WPA2
- WPA was created to replace wired equivalent privacy (WEP) when WEP was found to be insecure.
- WPA uses RC4 with the inclusion of temporal key integrated protocol (TKIP), which uses an encrypted hash with the sequence counter and a 48 bit IV to avoid the problems inherent in WEP
- WPA2 is a stronger version of WPA, using a EAS in conjunction with counter mode with cipher block changing message authentication code protocol (CCMP)
32
Q
Cryptographic protocols (continued)
A
-
WPA3
- weakness is found in WPA2 drove development of WPA3
- replaces authentication scheme: uses simultaneous authentication of equals (SAE) to replace pre-shared key exchange protocol from WPA2 so attackers cannot intercept authentication credentials
- Encryption, baked in: encrypts traffic from endpoint to endpoint, even without a password
- replaces cryptographic protocols: replaces a AES CCMP with AES Galois Counter Mode Protocol (GCMP)
- easy connect: allows devices to scan a QR code to configure and join network
WPA3 = AES + GCMP
33
Q
802.1x
Network Access Control (NAC)
A
- IEEE 802.1x is a technical specification for authenticating users to provide network access
- specification is embodied in framework called Extensible Authentication Protocol (EAP)
- there are several implementations of EAP, to name a few:
- EAP-TLS
- EAP-TTLS
- PEAP
- EAP-FAST
34
Q
RADIUS
A
- Remote Authentication Dial-In User Service (RADIUS) uses a centralized server to provide authentication, authorization and accounting (AAA) to remote users in a scalable way
- users connect to radius client (access point, switch, etc.) and provide the client with their credentials.
- The radius client does not store credentials. Instead, it forwards them to the AAA server in an encrypted access request package.
- The AAA server, decrypts and check the credentials, providing the radius client with an access response
- The radius client validates that the AAA information is from the server and intern response to the user to allow or deny access 
35
Q
Authentication protocols
A
-
Personal
- WPA2-PSK - a pre-shared key (password) for authenticating (on test, may be written as WPA2-Personal)
- WPA3-SAE - PAKE, Password-Authenticated key Exchange (on test, may be written as WOA3-Personal)
-
Enterprise
- WPA2-Enterprise
- WPA3-Enterprise
- allows users to authenticate with their enterprise credentials
- Both WPA2 and WPA3 utilize 802.1x authentication
- 802.1x utilizes a RADIUS server to verify user credentials before joining network
36
Q
Wireless installation
A
-
Site surveys
- Data collection of signal strength at a specified or measured location
-
Heat maps
- color visualization of the measured signal strength to provide at a glance interpretation of the site survey
37
Q
Vulnerability management
Objective 4.3
A
38
Q
Identifying vulnerabilities
A
-
vulnerability scan
- Enumerates house on network
- List detected vulnerabilities, according to signatures and definitions
- Examples: Nessus, OpenVAS
39
Q
Open-source intelligence
A
- Data that is publicly available and can be used to further in attack
- information found via email harvesting and social media profiling
- Things that can be found using Google, Facebook, etc.
- in a context of security, consider any information which is freely available as having the potential to further a spearfishing attack 
40
Q
Proprietary
A
- Opposite of open source intelligence, close/proprietary information is not public and comes from specific sources
- typically, commercial solutions and cost money to use
- it is typically higher quality information than the information you would find in open source intelligence 
41
Q
Deep web/dark web
A
-
Deep web
- The unindicted pages of the information and cannot be reached by normal search engines or browsers
-
Dark web
- meeting place for hackers to share your legally obtain information and credentials
- (The Onion Router) - encrypted medium for obfuscating network traffic to anonymize activity on dark web
- layer upon a layer of encrypted, convoluted traffic makes it extremely difficult to track a user
- Layers like an onion, hence the name
42
Q
Intelligence sharing
A
- information sharing in analysis centers (ISACs)
- ** security information exchanges (SiX)
- Public/private information sharing centers
- Collaborative efforts for sharing indicators of compromise, threat intelligence, and best practices
- Often industry specific or region base
- some organizations publish information regarding threat intelligence to be shared with clients or the public at large
43
Q
Penetration testing
A
-
Penetration testing is simulating an attack with the goal of finding both weaknesses and strengths. It involves actively exploding vulnerabilities as they are discovered, to penetrate as far as possible into the target system.
- Look for common known exploits, as well as unknown exploits
-
Vulnerability scanning use a software to check for known vulnerabilities
- Generally, uses passive techniques and does not exploit any vulnerabilities which are found in the scan
- vulnerable scanning would likely be part of a penetration test
44
Q
Responsible disclosure programs
A
-
Bug bounties
- Program offered by organizations to safely and securely disclosed vulnerabilities found found in their products, networks or systems for the purpose of being fixed
- mini bug bounty programs offer monetary war to books that are discovered
- information security professionals make a living from bounty programs alone
- Example: Hacker1
45
Q
System/process audit
A
- Systemic review of information systems and operational processes of the organization
- Maybe mandated by industry regulations such as HIPAA, Sarbanes-Oxley (SOC)
- standards/frameworks for workflow available from NIST and ISO
- benefits or organization by being able to identify problems before they arrive
- May be carried out in house or by third-party, depending on regulatory requirements 
46
Q
Vulnerability analysis
A
47
Q
Confirmation
A
-
True Positive
- when a scan and divisive vulnerability that does actually exist
-
True Negative
- when a scan reports no vulnerabilities present when one does not exist
-
False Positive
- when a scan identifies a vulnerability that does not actually exist
- consider the time which can be lost due to chasing down false positives
-
False Negative
- when a scanner reports no vulnerabilities present when one exists
48
Q
Prioritization
A
- Analyzing identified risk and determining the order in which each item should be addressed
- Priority given to most worrisome based on measured risk(highest probability, greatest impact)
- Priority might also be for a mitigations that are cheapest (no cost) to address 
49
Q
CVE
A
-
Common Vulnerabilities and Exposures (CVE)
- A reference method for publicly known information security vulnerabilities
- CVE IDs use the model CVE-YYYY-NNNNN, where YYYY is the year that the mobility is discovered and NNNNN is the arbitrary number assigned to the vulnerability
50
Q
CVSS
A
-
Common Vulnerability Scoring System (CVSS)
- scoring system for vulnerabilities and gives a level of impact on an organization should if vulnerability be realized
- impact can be assessed based on the CIA triad
51
Q
CVSS
A
-
Common Vulnerability Scoring System (CVSS)
- scoring system for vulnerabilities and gives a level of impact on an organization should if vulnerability be realized
- impact can be assessed based on the CIA triad
52
Q
Vulnerability classification
A
- categorizing vulnerability based on characteristics, such as the type of system, version of software, mall of hardware, etc.
- Helps to clarify scope in nature of a particular threat
53
Q
Exposure factor
A
- The percentage of value of an asset that is lost if a specific thread comes to pass
- Example: supposed a window is valued at $1000. If calculating the risk of a window breaking…
- Do you have to replace the whole window? (Cost $1000, so EF is 100%)
- Can you replace just one pane? (Cost is $500, EF is 50%)
- Maybe you got a replacement policy for free with a $100 deductible back when it was first purchased (cost is $100, so EF is 10%)
54
Q
Exposure factor
A
- The percentage of value of an asset that is lost if a specific thread comes to pass
- Example: supposed a window is valued at $1000. If calculating the risk of a window breaking…
- Do you have to replace the whole window? (Cost $1000, so EF is 100%)
- Can you replace just one pane? (Cost is $500, EF is 50%)
- Maybe you got a replacement policy for free with a $100 deductible back when it was first purchased (cost is $100, so EF is 10%)
55
Q
Environmental variables
A
- when threat intelligence comes in about a particular vulnerability, the assessment performed by others may not apply to an organization particular set up
- Organizations infrastructure, including the hardware, software, networks and other systems all play a role in determining how particular vulnerability may play out. The infrastructure may suppress the impact, or it may amplify the impact.
- each organization set up is unique, so the specific impact of vulnerability is also unique
56
Q
Impact
A
- Impacts of vulnerability could have maybe:
- Financial loss
- Reputational Damage
- operational disruption
- Regulatory penalties
- business partnership loss
- Reputational harm, Customer aversion
- Organizational impact
- Industry impact
57
Q
Risk tolerance
A
- The measure of risk and organization is willing to accept
- The level varies greatly depending on organization, size, strategic objectives, industry, regulations, etc.
- Often identified in light of vulnerability and analysis and determining where to spend some resources safeguarding the network. At some point, organizations, decision makers will say this is good enough for now.
58
Q
Vulnerability response
A
59
Q
Patching
A
- when vulnerabilities have been identified, organizations will seek to update the software or firmware
- vendors make patches available for this purpose
- Sometimes of vulnerability is discovered, and the patch is not available for a long time
- Segment the device away from network
- Monitor data coming and going from device
60
Q
Insurance
A
- cyber security insurance provides financial backing to minimize financial losses
- Cyber insurance has requirements for coverage:
- regular security testing
- Operation in compliance with industries regulations
- documented security policies
- Evidence of employee training
61
Q
Segmentation
A
- Isolating systems from the organizations network or putting the networking device in his own network to safeguard the rest of the organization from infection
- Limits scope of impact
81
Q
Access Control Lists
A
- mechanism that implements access control for a system resource by enumerating the identities of the system entities that are committed to access the resources
- consist of a set of rules, where each rule specifies a type of packet and whether to block or allow the packet through the firewall
82
Q
Access Control Lists
A
- mechanism that implements access control for a system resource by enumerating the identities of the system entities that are committed to access the resources
- consist of a set of rules, where each rule specifies a type of packet and whether to block or allow the packet through the firewall
83
Q
Firewall rules
A
- Firewall rules are evaluated in a top down manner, meeting rules earlier in the list are checked first
- Generally, the last rule in the list is an implicit denial rule, so packets which have not been allowed by a previous rule will be blocked by default
- Implicit deny a rule that denies traffic unless a rule explicitly allows it
84
Q
Firewall rules
A
- Firewall rules are evaluated in a top down manner, meeting rules earlier in the list are checked first
- Generally, the last rule in the list is an implicit denial rule, so packets which have not been allowed by a previous rule will be blocked by default
- Implicit deny a rule that denies traffic unless a rule explicitly allows it
85
Q
Ports and protocols
A
Slide 318
86
Q
Screen subnets (aka DMZ)
A
- formally referred to as DMZ or demilitarized zone
- A host or network segment asserted as a neutral zone between an organizations, private network, and the Internet
- Add an additional layer of separation to protect internal systems from external traffic
93
Q
Secure protocols (continued)
A
Slide 324
94
Q
Secure protocols (continued)
Network and remote access
A
95
Q
Secure protocols (continued)
File transfer
A
96
Q
Secure protocols (continued)
Email
A
98
Q
Email security (continued)
A
107
Q
Federation
A
- A collection of domains, sometimes separate companies that have established trust between each other. The level of trust me very, but typically includes authentication. It may include authorization.
- Example: using Facebook credentials to authenticate with a web application
109
Q
Lightweight directory access protocols (LDAP)**
A
- ** Lightweight directory access protocol (LDAP)**
- commonly used protocol for clearing and making updates to directories which followed the X .500 standard
- associates objects in the directory with their full X .500 distinguished name
- Example:
110
Q
Lightweight directory access protocols (LDAP)
A
- Lightweight directory access protocol (LDAP)
- commonly used protocol for clearing and making updates to directories which followed the X .500 standard
- associates objects in the directory with their full X .500 distinguished name
- Example:
138
Q
Process
A
- Preparation
- detection
- Analysis
- Containment
- Eradication
- Recovery
- Lessons learned
144
Q
Threat hunting
A
- process of productively and interactively searching through network/applications to detect isolate fans thread that evade existing security solutions
