Domain 7: Security Operations Flashcards
Incident Response Steps
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Detection
.(aka Identification)
.what are all of the inputs into my incident response process
.Events > Incidents
Response
.(aka Containment)
.steps-by-steps,depending upon classification and severity
.Forensic response?
Mitigation
.(aka Eradication)
.Root cause analysis completed
.Get rid of bad things
Reporting
.More formal here
.Included incidents responders (technical and non technical)
Recovery
.Restore systems and operations
.Increase monitoring
Remediation
.Broader in context
Lessons Learned
.(aka Post-incident Activity, Post Mortem, Reporting
Operational Preventing and Detective Controls
.IDS/IPS .Firewall .Security Services .Anti-malware .Honeypot .Sandboxing
Positives and negatives
.True Positive: Conficker worm i spreading on a trusted network and NIDS alerts.
.True Negative: User surfs the web for an allowed site and NIDS is silent.
False Positive: User surfs the web to an allowed site, and NIDS alerts.
False Negative: Conflicker worm is spreading on a trusted network, and NIDS is silent
Continuous Monitoring
.Assessing and reassessing an ongoing process
.A modern improvement to legacy Certifications and Accreditations
Data Loss Prevention (DLP)
.Class of solutions used to detect and/or prevent data from leaving the organization
Host based, network based and application based solutions
Endpoint Security
HIDS/HIPS Antivirus Application Whitelisting (Most Effective) Removable Media Controls Disk Encryption Privileged Access
Sandboxing
.Security mechanism for separating running programs, usually in an effort to mitigate systems failures and/or software vulnerabilities from spreading.
.Used to execute untested or untrusted programs or code possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operation system.
Configuration management
.The goal is to move beyond the default systems configuration to on e that is both hardended and meets the operational requirements of the organization.
.Disabling unnecessary services
.Removing extraneous programs
.Enabling security capabilities