Domain: 7 Security Operations 13% Flashcards
1
Q
Administrative Security
A
Provides the means to control people’s operational access to data.
2
Q
Least Privilege
A
We give employees the minimum necessary access they need, no more, no less.
3
Q
Need to know
A
Even if you have access, if you do not need to know, then you should not access the data.
4
Q
Separation of duties
A
More than one individual in a single task is an internal control intended to prevent fraud and error. We do not allow the same person to enter the purchase order and issue the check.
5
Q
Job rotation
A
Job rotation to detect errors and frauds. Makes it easier to detect fraud and there is less chance of collusion btw individuals if we use job rota
6
Q
Mandatory vacations
A
Done to ensure one person is not always performing the same task, someone else has to cover and it can keep fraud from happening or help us detect it. Their accounts are locked and an audit is prfrmd on the accnt.
7
Q
NDA (non disclosure agreement)
A
Can be btw employees and the org. Or btw two orgs.
8
Q
Background check
A
references, degrees, employment history, certifications, criminal history, credit history. For sensitive pos the bckgrnd chck is an ongoing process.
9
Q
Privilege monitoring
A
The more access and privilege an employee has the more we keep an eye on their activity. We continually audit and monitor what they access. This is normally automated.
10
Q
Digital (comp) forensics
A
Focuses on the recovery and investigation of material found in digital devices, often in relation to comp crime. Forensics is based on gathering and protecting the evidence, where incidents responses are how we react in an event breach. We preserve the crime scene and the evidence, we can prove the integrity of it at a later needed time,oftn court.
11
Q
The forensic process:
A
- Id the potential evidence, acquire the evidence, anayze the evidence, make a report.
- be aware of how we gather our forensic evidence, attckrs are cvring their tracks, deleting the evdnc and logs.
- This can be through malware that is only in volatile mem, if pwr is shut off (to preserve the crime scene), the malware is gone and the evidence is lost.
- Disconnect sys from ntwrk adn take bit by bit copies of the mem, drives, running processes & ntwrk cxn data.
12
Q
The evidence
A
we collect must be accurate, complete, authentic, convincing, admissible.
13
Q
Identification
A
Id the evidence, what is left behind.
14
Q
Preservation
A
Evrythng is documented, chain of custody: Who had it when? What was done? When did they do it? Pull the og, put it in write protected machine, we make a hash. We ony do examinations and analysis on bit level copies, we confirm they have the same hash as the og before and after examination.
15
Q
Collection
A
We examine and analyze the data, again we document evrythng. We handle the evidence as little as possible. Work from most volatile to least volatile, starting with the RAM and ending with the hard disks.
16
Q
Incidence response plan
A
can include getting our HR and Legal dept involved. Ensure evidence is acquired in a legal manner remember US Cons 4th amendment.
17
Q
Examination
A
find the facts and document them, collecting the data.
18
Q
Analysis
A
look at the data and look for meaning or reason
19
Q
Presentation in court
A
we present our findings and any other evidence.
20
Q
Decision
A
The court rules on the case.
21
Q
Forensic data
A
is normally obtained from binary images of secondary storage, portable storages devices: hard drives, flash drvs, CDs, DVDs, cell phone, mp3 players. We use binary or bit stream image copy to ensure ew get an exact copy of the device, and not just a copy of certain sectors.
22
Q
Real Evidence
A
Tangible adn physical objects, in IT Sec: hd, usb -NOT the data on them.
23
Q
Evidence Integrity
A
It is vital the evidences integrity cannot be questioned, we do this with hashes. Any forensics is done on copies and never the originals, we check hash on both original and copy before and after the forensics. Heresay, but admissible due to Law 803.
24
Q
Chain of Custody
A
Chain of custody form, this is done to prove the integrity of the data. No tampering is done. Who handled it? When did they handle it? What did they do with it? Where did they handle it?
25
Allocated space
The portions of the disk that are marked as actively containing data.
26
Unallocated space
The portions of the disk that does not contain active data. This is parts that have never been allocated and previously allocated parts that have been marked unallocated. When a file is deleted, the parts of the disk that held the deted file are marked as unallocated and made avaialble for use. So that data is there unit ovrwrtten
27
Slack space
data is stored in specific size chunks known as clusters (clusters = sectors or blocks). A cluster is the minimum size that can be allocated by a file system. If a particular file, or final portion of a file, does not require the use of the entire cluster then some extra space will exist within the cluster. This leftover space is known as slack space: it may contain old data, or can be used intentionally by the attackers to hide information.
28
Bad blocks/clusters/sectors
HD end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will ignored by the OS since no data could be read in those defective portions. Attackers can mark sectors or clusters as being bad in order to hide data within this portion of the disk.
29
Network forensics
we look at monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Network investigations deal with volatile and dynamic info. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.
30
The first type
monitoring a network for anomalous traffic and id intrusions (IDS/IPS). An attacker might be able to erase all log files on a compromised host, a network-based evidence might be the only evidence available for forensic analysis.
31
The second type
relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human comm such as emls or cht sessions
32
Catch-it-as-you-can
All packets passing through a certain traffic point are captured and written to storage with analysis beind done subsequently in batch mode. This approach requires large amounts of storage.
33
Stop, look and listen
each packet is anlyzed in a basic way in memory and only certain fino is saved for future analysis. The approach requires a faster process to keep up with incoming traffic.
34
Catch-it-as-you-can
All packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage.
35
Stop, look and listen
each packet is anlyzed in a basic way in memory and only certain info is saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.
36
Forensic software analysis
Comparing and/or reverse engineering software. REverse engineering malware is one of the most common examples. Investigators often have a binary copy of a malware program, and try to deduce what it does. Common tools are disassembers and debuggers.
37
Embedded device forensics
SSD's, GPS', cell phones, PDA. They contain a lot of info, but how we safely retrieve it while keeping the integrity of the data. IOT can be a sec concern. Where does the GPS say the car, phone or person was at a certain time? When did the AC turn on? Can we assume someone was home at that time?
38
Incident management
Involves the monitoring and detection of security sevents on our systems, and how we react in those events. The primary purpose is to have a well understood and predictable reponse to events and computer intrusions. We have very clear processes and a responses, and our teams are trained in them and know what to when an even occurs.
39
Incidents and events can generally be categorized in 3 classes
Natural: Hurricanes, flds, earthquakes, blizzards, anything that is caused by nature. Human: Done intentially or unintentionally by humans, these are by far the most common. Enviromental: The pwr grid, the Internet cxns, hwd failure, sftwr flaws.
40
Event
An observable change in state, this is neither negative nor positive, it is just something has changed.
41
Alert
Triggers warnings if certain event happens.
42
Incident
Multiple adverse events happening on our systems or network, often caused by people.
43
Problem
Incidence with an unknown cause, we would follow similar steps to incidence reponse. More time would be spent on root cause analysis, we need to know what happened so we can prevent it from happening again.
44
Inconvenience (non-disasters)
Non-disruptive failures, hd failure, 1 server in a cluster is down.
45
Emergency (Crisis)
Urgent, event with the potential for loss of life or property.
46
Diaster
Our entire facility is unusable for 24 hrs or +
47
Diaster
Our entire facility is unusable for 24 hrs or +. Yes, a snowstorm can be a disaster.
48
Incident management, 7-step lifecycle
1. Prep (left out in exam). 2. Detection (Id). 3. Response (Containment). 4 Mitigation (Eradication). 5 Reporting. 6. Recovery. 7 Remediation. 8 Lessons Learned (Post-incident activity, post mortem, or reporting)
49
1. Preparation
We write the policies, procedures, we train our staff, we procure the detection sft/hrdwr, we give our incidence response team the tools they need to respond to an incident.
50
2. Detection
Events are analyzed to determine if they might be a security incident. IDS' can help us detect, IPS' can help us detect and prevent further compromise. SIEM = security incident event manager, collects everything from everything all alerts,logs, event, incident.
51
3. Response
When the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. Isolate the sys, network/traffic. Make bit level copies of sys
52
3. Response
When the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. Isolate the sys, network/traffic. Make bit level copies of sys Stop it from spreading
53
4. Mitigation
Understanding the cause of the incident that the sys can be reliably cleaned and restored to operational status later in the recovery phase.
54
5. Reporting
begins with the detection, and we start reporting immediately when twe detect malicious activity. Reporting has 2 focus areas technical and non-technical. The incident handling team reports the tech details of the incident as they start the incident handling process, but they also notify management of serious incidents. The procedures and policies will outline when which level of managment needs to be informed and involved.
55
6. Recovery
We carefully restore the sys/s to operational status. We closely monitor the rebuilt sys incase a backdoor was left.
56
7. Remediation
Remediation happens during the mitigation phase, where vulnerabilities on teh impacted system/s are mitigated. Patching all sys with the same vulnerability or change how the org authenticates.
57
8. Lessons Learned
Problem there has been fixed, what was compromised, what are the vulnerabilities, how did the team react, which part of our plans worked and which didn't.
58
Root-cause analysis
We need to fix the vulner on the sys/s that were effected, but also on any system in the organization that has the particular vulnerability or set of vulnerability.
59
IDS and IPS
can be categorized into 2 types and with 2 different approaches to identifying malicious traffic.
60
Network based
placed on a network segment (a switch port in promiscuous mode)
61
Host based
on a client, normally a server or workstation
62
Signature (pattern) matching
similar to antivirus, it matches traffic against a long list of known malicious traffic patterns
63
Heuristic (Behavioral) based
uses a normal traffic pattern baseline to monitor for abnormal traffic.
64
SIEM (Security Info and Event Management)
gives you a full picture views and data correlation.
65
IDS (Intrustion Detection Sys)
They are passive, they monitor, but they take no action other than sending out alerts.
66
IPS (Intrusion Prevention System)
Similar to IDS, but they also take action to malicious traffic, what they do with the traffic is determined by configuration. Events trigger an action.
67
IDS/IPS
Part of our layered defense. Basically they are packet sniffers with analysis engines.
68
Network based
placed on a network segment (a switch port in promiscuous mode). Inspects hostdestination ports, IP's, protocols, content of traffic, but can obviously not look at in encrypted traffic. Can protect against DDOS, Port scans, brute force attacks, Deployed on 1 switch, port and NIC must be promiscuous and port must be a span port.
69
Host based
on a client, normally a server or workstation. We only look at a single sys. Who is using the sys, the resource usage, traffic. It can be app specific if needed. Certain attacks turn off HIDS/HIPS.
70
Signature based
looks for known malware signatures. Faster since they just check traffic against malicious signatures. Vulnerable to 0 day attacks
71
Heuristic (Behavioral) based
Looks for abnormal behaviro -can produce a lot of false positives. We build a baseline of what normal network traffic looks liek and all traffic is matched to that baseline.
72
Hybrid based
combines both are more used now and check for both signatures and abnormalities.
73
Ways attackers
attempt to avoid detection
74
Fragmentation
sending fragmented packets, the attack can avoid teh detection systems's ability to detect the attack signature
75
Avoiding defaults
TCP port utilized by a proto does not always provide an indication to the proto which is being transported. Attackers can send malware over an unexpected port.
76
Low-bandwidth coordinated attacks
a number of attackers (agents) allocate different ports or hosts to different attackers making it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress. Address spoofing/proxying
77
Pattern change evasion
The attacker changes the data used in the attack slightly, which may avoid detection.
78
Alerts on IDS'/IPS' can like
biometrics be one of 4 categories:
79
True positive
an attack is happening and the sys detects it and acts.
80
True negative
normal traffic on the network and teh system detects it and does nothing
81
Falso Positive
normal traffic and the sys detects it and acts
82
False Negative
an attack is happening and the sys does not detect it and does nothing.
83
SIEM (Security info and event management)
Gathers from all our systems and looks at everything. Centralizes the storage and interpretation of logs, traffic and allows near real-time automated id, analysis and recovery of security events.
84
Application whitelisting
we allow our users to run these apps on our enviroments, but it can also be compromised. White list against a trusted digital cert, a known hash or path and name.
85
Removable media controls
lock down USB ports, CD Drives, memory card ports
86
Honeypots
System looking like a real system, but with the sole purpose of atracting attackers. They are used to learn about our vulnerabilities and how attackers would circumvent our security measures. Talk to the Legal Dept. before deploying honeypots.
87
Honeynets
a network of honeypots, can be a full server farm simulated with applications, OS' and fake data.
88
Configuration Management
Harden sys before we deploy them. Close network ports, services to disable, accounts to delete, missing patches. We do this for any device on our network. Pre introduction into our production enviro we run vulnerability scans against the system to ensure we didn't miss anything.
89
Patch Management
apply patches on a reg basis. Make sure you update network equip, array updates, IOT updates and so on.
90
Change Mangement
Our formalized process on how we handle changes to our enviroments. If done right we will have full documentation, understanding and we communicate changes to appropriate parties. The change review board should be compromised of both IT and other operational units from the org. The board can have senior leadership on itt.
91
Change management flow
1. ID the change 2. Propose the chng 3. Assessing rsks, impcts and bnfts of implementing and not imple 4. Provisional change approval 5. Testing the change 6. Scheduling the change 7. Change notification for impacted parties 8. Implementing the change. 9 Post implementation reporting of the actual change impact.
92
Change control
the parts where we control the change.
93
0 day vulnerabilities
Vulner not generally known or discovered. Protect against this with defense in depth.
94
0 day exploit
code that uses the 0 day vulnerability.
95
Fault tolerance
To ensure our internal SLA's and provides as high availability as possible we use as high degree of redundancy and resiliency as makes sense to that particular sys and data set.
96
Backups
For backups we use Full, Incremental, Diff and Copy backups.
97
Full backup
This backs everything up, the entire database (most often), or the system. A full backup clears the all archive bits.
98
Incremental backup
Backs up everything that has changed since the last backup. Clears the archive bits. The downside to them is if we do montly full backup and daily incrementals, we would have 30 tapes to restore.
99
Differential backup
backs up everything since the last Full backup. Does not clear the archive bit. Faster to restore since we just need 2 tapes for a full restore, the full and the differential.
100
Copy backup
Full backup that doesn't clear the archive bit. Often used before we do sys updates, patches and similar upgrades.
101
Archive bit
For Win NTFS has an archive bit on files, it indicates if the file was changed since the last Full or Incremental backup
102
RAID
(Redundant Array of Independent Disks)
103
Disk mirroring
Writing the same data across multiple hd, slower, because the controller has to write everything twice.
104
Disk striping
Writing the data simultaneoulsy across mult disks providing higher write speed. Uses at least 2 disks. No redundency unless you use parity, but you nd 3 hd.
105
RAID 0
Striping with no mirroring or parity, no fault tol, only provides faster read/write speed, req at least 2 hd
106
RAID 1
Mirror set, 2 hd with identical data, and write function is written to both disks simultaneously.
107
RAID 5
block level striping with distributed parity, req at least 3 disks. Combined speed with redundancy.
108
Redundant parts
PSU, fans, NICS, disk controllers
109
System redundancy
load balancing and clustering. Geographically dispersed.
110
Database shadowing
exact real time copy of the DB or files to another location. It can be another disk in the same server, but best practices dictates another geograph loc, often on a different media.
111
Electonic vaulting (e-vaulting)
Using a remote backup service, backups are sent off-site elec at a certain interval or when files change.
112
Remote jounaling
Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.
113
BCP (Business Continuity Plan)
the process of creating the long-term strategic business plans, policies and procedures for continued operation after a disruptive event. It is for the entire org, everything that could be impacted, not just IT. Lists a range of disaster scenarios and the steps the org must take in any particular scenario to return to regular ops.
114
BCP's often contain:
COOP, Crisis Comm Plan, Critical Infr Prot Plan, Cyber Incident Res Pln, DRP,
115
DRP (Diaster Recovery Plan)
This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT sys in a diaster. It focuses on the IT sys supporting critical business func, and how we get those back up after a disaster. DRP is a subset of our BCP
116
Most common reason for a disruptive events are internal employees.
often called errors and omissions.
117
DRP should answer at least 3 basic questions:
What is the objective and purpose? Who will be the people or teams who will be responsible in case any disruptions happen? What will these people do (our procedures) when the disaster hits? *Inform every who should know of what has happened.
118
Mitigation (pre-disaster)
reduce the impact, and likeliness of a disaster
119
Preparation
build programs, procedures and tools for our response
120
Response
how we react in a disaster, following the procedures.
121
Recovery
reestablish basic functionality and get back to full production.
122
Older v of NIST 800-34 had these steps as a framework for building our BCP/DRP
Project Initiation, Scope of Project, Business Impact Analysis, Id Preventitive Controls, Recovery Strategy, Plan Design and Development, (Implementation, Training, and Testing) BCP/DRP Maintenance
123
Rescue team (activation/notification)
responsible for dealing w/ the disaster as it happens. Evacute employees, notifies the appropriate personnel, pull the network from teh infected server/shutdown sys
124
Recovery team (failover)
responsible for getting the alternate site up and running as fast as possible or for getting the sys rebuilt. We get most critical sys up first.
125
Salvage team
responsible for returning our full infrastructure, staff and ops to our primary site or a new facility if the old site was destroyed.
126
BIA (Business impact analysis)
Ids critical and non-critical org sys, fnc, activities. Critical is where disruption is considered unacceptable, the acceptability is also based on the cost of recover. A fnc may also be considered if dictated by law.
127
Each critical sys, function or activity has two values assigned to them
RPO and MTD
128
RPO (Recovery Point Objective)
The acceptable amount of data that can not be recovered. The recovery point objective must ensure that the maximum tolerable data loss for each system, function or activity is not exceeded.
129
MTD (Max Toler Dwntime)
| MTD>=RTO+WRT
The time to rebuild the sys and config for reinsertion into prod must be less than or equal to our MTD. The total time a sys can be inoperable before our org is severely impacted.
130
RTO (Recovery Time Obj)(hardware)
The amnt of time to restore the sys (hardware). The recovery time obj must ensure that the MTD for each sys, func or activity is not exceeded.
131
WRT (Work Recovery Time)(software)
How long does it take us to the time required to configure a recovered sys.
132
Redundant site
Complete identical site to our prod, receives a real time copy of our data. Expensive.
133
Hot site
only houses critical app and sys. We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-tiem copies of data.
134
Warm site
Similar to the hot site, but not with real or near-real time data, often restored with backups. A smaller but full data center. We manually fail traffic over, a full switch and restore can take 4-24 hrs.+
135
Cold site
a smaller but full data center. No hardware or backups are at the cold site, they require sys to be acquired, conf and applications loaded and config. This is the cheapest, but also longeste recovery option, can be weeks+
136
Reciprocol Agreement site
your org has a contract w/ another org that they will give you space in their data center in a disaster even and vice versa.
137
Mobile site
Basically a data center on wheels, often a container or trailer that can be moved whereever by a truck.
138
Subscription/cloud site
We pay someone else to have a minimal or full replica of our production enviro up and running within a certain number of hours (SLA)
139
COOP (Continuity of Operations Plan)
How we keep operating in a disaster, how do we get staff to alternate sites, what are all the operational things we need to ensure we function even if at reduced capacity for up to 30 days.
140
Cyber Incident Response Plan
How we respond in cyber events, can be part of the DRP or not.
141
OEP (Occupant Emergency Plan)
How do we protect our facilities, our staff and the enviroment in a disaster event. Focuses on safety and evacutation, details how we evacuate, how often we do drills and the training staff should get.
142
BRP (Business Recovery Plan)
Lists the steps we need to restore normal business operations after recovering from a disruptive event.
143
Continuity of Support Plan
Focuses narrowly on support of specififc IT sys and apps. Also called the IT Contigency Plan, emphasizing IT over general business support.
144
CMP (The Crisis Management Plan)
Gives us effective coordination among the managment of the org, in the event of an emergency or disruptive event. Details what manag must take to ensure that life and safety of personnel and property are immediately protected in case of a disaster.
145
Crisis Comm Plan
A subplan of the CMP. How we comm inter and ext during a disaster
146
Call Trees
Each user in the tree calls a sml # of users.
147
Off site copies and plans
We keep both digital and phy copies of all our plans at offsite locations.
148
EOC (Emergency Operations Center)
A central temporary command and control facility responsible for our emergency management or disaster management functions at a strategic level during an emergency.
149
MOU/MOA (Memorandum of Understanding/Agreement
Staff signs a legal document ack they are responsible for a certain activity.
150
Executive Succession Planning
Senior leadership often are the only ones who can decalre a disaster. Our plans should clearly outline who should declasre a disaster, if they are not available.
151
Employee redundancy
We should have as high degree of skilled employee redundancy, just like we have on our critical hardware. Can be mitigated with training and job rotation.
152
DRP review
Team members wo are part of the DRP team review the plan quickly looking for glaring omissions, gaps or missing sections in the plan.
153
Read-through (checklist)
Managers and functional areas go through the plan and check a list of components needed for in the recovery process.
154
Walk/Talk-through (tabletop or structured walkthrough)
a group of managers and critical personnel sit down and talk through the recovery process. Can often expose gaps, omissions or just technically inaccurracies that would prevent the recovery.
155
Simulated Test (Walkthrough Drill)
Similar to the walkthrough (but different, do not confure them). The team simulates a disaster and teh teams respond with their pieces from the DRP.
156
Parallel processing
we bring critical components up at a secondary site using backups and compare to the same sys at the primary site
157
Partial Interruption
We interrupt a single app and fail it over to our secondary facilities, often done off hours.
158
Full Interruption
We interrupt all app and fail it over to our secondary facilities, always done off hours. Both partial and full are mostly done by fully redundant orgs.
159
Testing
to ensure the plan is accurate, complete and effective, happens before we implement the plan
160
Drills (exercises)
Walkthroughs of the plan, main focus is to train staff, and improve employee response (think fire drills)
161
Auditing
A 3rd party ensure that the plan is being followed, understood and the measures in the plan are effective.
162
We train staff to raise the awareness
awareness is their ability to do a task in the DRP.
163
The plans need to be continually updated
it is an iterative process. Plans should be reviewed and updated at least every 12 months. When we update the plans older copies are retrieved and destroyed, and current versions are distributed.
164
After a disruption
we only use our BCP/DRP's when our other countermeasures have failed.
165
NIST 800-34
Provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information sys services after a disruption.
166
ISO 22301
Societal security, Business continuity management sys, specifies a management sys to manage an orgs business continuity plan, supported by ISO 27031.
167
ISO/IEC-27031
Societal security, business continuity management sys - guidance, which provides more pragmatic advice concerning business continutiy managment.
168
BCI (Business Continuity Institute)
6 step process of Good Practice Guidelines (GPG) the independent body of knowledge for Business Continuity.
