Domain 7 - Security Operations Flashcards
1
Q
User and entity behavior analytics (UEBA)
A
- entity behavior is collected and input to a threat model, model establishes baseline of normal based on historical data, enables analysis to uncover anomalies
2
Q
Threat intel feeds
A
- feed containing malicious entities ingested by cyber tools, educational tools for threat landscape changes, single feed may contain many sources including OSINT, entity = IP, website, actor, hashes
3
Q
Role of AI and ML (SecOps)
A
- automate analysis, automated investigation feature, quickly analyze millions of events and identify many different types of threats, profiles are built on users/ assets/ networks/ devices allowing AI to detect and respond to deviations from established norms, factor in anti-malware, SIEM, IDS/IPS, IDaaS
4
Q
Collusion
A
- agreement among multiple persons to perform unauthorized action
5
Q
Separation of duties
A
- ensure 1 person doesn’t control all elements of a critical function
6
Q
Job rotation
A
- employees rotated into different jobs or tasks, flush out fraud
7
Q
Monitoring privileged operations
A
- monitor all assignment of privileges and the use of privileged operations, can detect many attacks because attackers commonly use special privileges
8
Q
Information lifecycle
A
- Creation (file creation by user or system logs) > classification (to ensure its handled properly) > storage (protect data with adequate controls based on classification) > usage (anytime data is in use or in transit) > archive (sometimes needed to comply with laws or regulations) > destruction (destroyed in a way so it is not readable)
9
Q
Service level agreements
A
-performance expectations like max downtimes/ availability numbers, can include penalties, usually applies to vendors
10
Q
Secure provisioning
A
- ensures that resources are deployed in a secure manner and maintained in a secure manner throughout lifecycle, ie PC deployed from secure image
11
Q
Virtual assets
A
- VMs, VDIs, SDN, SAN, hypervisors are primary component that manage virtual assets but also provide attackers with an additional target, KEEP IT PATCHED!!
12
Q
Configuration management
A
ensures that systems are configured in a similar manner, configs are KNOWN and DOCUMENTED
13
Q
Baselining
A
- ensures systems are deployed with a common baseline ie imaging, policy based config (GPOs), can then be TAILORED as needed
14
Q
Change management
A
- helps reduce outages/ weakened sec from unauthorized changes, make sure all changes are documented/ discussed/ authorized, changes are tested approved and documented
15
Q
Versioning
A
- uses labeling/ numbering to track changes in software, helpful in change management process
16
Q
Patch management
A
- ensures systems are kept up to date with current sec patches, evaluate/ test/ approve/ deploy patches, system audits verify the deployment of approved patches to system, vuln scanner can identify missing patches
17
Q
Vuln scanners
A
- detect vulns, weaknesses, absence of patches, weak passwords ie tenable, qualys
18
Q
Vuln assessments
A
- includes review and audits to detects vulns in addition to a scan
19
Q
Detection (IR)
A
- monitoring tools, IPS, firewalls, notifying management
20
Q
Response (IR)
A
- triage (is it really an incident?), decision to declare, LIMIT DAMAGE
21
Q
Mitigation (IR)
A
- first containment effort or step, create team, CONTAINMENT IS HERE
22
Q
Reporting (IR)
A
- to relevent stakeholders (customers, vendors, law enforcement), MANAGEMENT DECISION
23
Q
Recovery (IR)
A
- returning to normal ops, MANAGEMENT DECISION
24
Q
Remediation (IR)
A
- root cause is addressed, ROOT CAUSE ANALYSIS
25
Q
Lessons learned (IR)
A
- prevent recurrence, improve IR process
26
Q
Denial of Service attacks (DoS)
A
- prevent a system from responding to legit requests for service, blocks resources
27
Q
SYN flood attack
A
- disrupts TCP 3 way handshake
28
Q
Smurf attack
A
- amplification network (systems under control of bad actor) to send many response packets to victim
29
Q
Botnet
A
-collection of compromised computing devices (often called bots or zombies)
30
Q
Bot herder
A
- attacker who remotely controls botnet via a C2 server, often use them to launch attacks or send phishing emails
31
Q
Honeypot
A
- has pseudo flaws and fake data to lure/ distract intruders, cant entrap someone to commit an actual crime, as long as attackers are in the honeypot they are not in the live network and admins can observe, some IDS can transfer attackers to padded cell after detection (hardened honeypot)
32
Q
Anti-malware software
A
- up to date definitions, installed on each system/ boundary device/ email servers/ etc, also has behavioral analysis now
33
Q
Policies (blocking malicious code)
A
- enforce basic sec principles ie least privilege, no local admin, etc
34
Q
Education (blocking malicious code)
A
- teaching users about risks and methods attackers use to spread viruses
35
Q
Penetration tests
A
- discover vulns then mimic an attack to identify what can be exploited, not without consent and knowledge from management, can result in damage so should be done on isolated systems whenever possible, schedule at time of minimal activity
36
Q
Black box pentesting
A
- no knowledge of environment
37
Q
White box pentesting
A
- full knowledge of environment, open book test
38
Q
Gray box pentesting
A
- partial knowledge of environment
39
Q
IDS
A
- can respond by passively logging and notifying OR actively by changing the environment, reactive
§ HIDS - monitor activity on single system only, attackers can discover and disable
§ NIDS - monitor activity on a network, not as visible to attackers
40
Q
IPS
A
- placed inline with traffic, can block malicious traffic before it reaches target, proactive
41
Q
Espionage
A
- external threat, competitor tries to steal info
42
Q
Sabotage
A
- insider threat, malicious insiders can become disgruntled, ie mass deletion/ server shutdowns, data theft
43
Q
Zero-day exploits
A
- attack that uses a vulnerability that is either unknown to anyone but the attacker or a limited # of people, basic sec practices can often prevent these from being fully utilized
44
Q
Common log files
A
- security logs, system logs, application logs, firewall logs, proxy logs, protected by centrally storing them and restricting access so they can’t be modified, read only!
45
Q
Monitoring
A
- form of auditing, focuses on active review of log file data, used to hold subjects accountable and monitor system performance, automated by IDS/ SIEM
46
Q
Audit trails
A
- used to reconstruct event, prove culpability, DETECTIVE security control, essential evidence in prosecution of criminals
47
Q
Sampling
A
- extracting elements from a large body of data, construct a meaningful representation of the whole set of data
48
Q
Statistical sampling
A
- uses precise math function to extract meaningful info from a large volume of data
49
Q
Clipping
A
- non-statistical sampling, records only events that exceed a threshold
50
Q
Accountability
A
- maintained for individual users aka subjects through AUDITING, logs record user activities and users can be held accountable for logged actions, promotes good user behavior because people know theyre being watched
51
Q
Security audits/ reviews
A
- help ensure that management programs are effective and being followed, commonly associated with account management to prevent violations with least priv and need to know, can be used to oversee many programs and processes ie patch/ vuln/ change/ config management
52
Q
Auditing
A
- examination of environment to ensure compliance, DETECTIVE control, frequency is based on risk, degree of risk affects how often an audit is performed, secure environments rely heavily on audits
53
Q
Due care
A
- act with common sense, prudent management, responsible
54
Q
Controlling access to audit reports
A
- contain sensitive info, purpose/ scope and any results discovered, only people with sufficient priv should have access, senior sec admins should have full details, senior management only needs high level summary to meet their requirement for due care
55
Q
Access review
A
- ensures object access and account management practices support the security policy
56
Q
User entitlement audit
A
- ensure that least priv is followed and focused on privileged accounts
57
Q
Access control audit
A
- can track logon success and failure of any account, incloud resources (object) access and action performed on resources ie mass file exfiltration, IDS can monitor these logs and easily identify attacks and notify admins
58
Q
Computer crime
A
- military and intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, thrill attacks
59
Q
Electronic discovery
A
- eDiscovery, info ID and governance, preservation and collection, processing, review and analysis, production and presentation (in case of lawsuit will need to present data)
60
Q
Possession (evidence gathering)
A
- must have possession of equipment/ data to analyze and use it as evidence
61
Q
Modification (evidence gathering)
A
- must acquire evidence w/o modifying it or allowing anyone else to modify it
62
Q
Chain of evidence
A
- aka chain of custody, documents all who handle evidence
63
Q
Voluntary surrender
A
- ask the person who owns the evidence to voluntarily surrender it for investigation
64
Q
Subpoena
A
- compels a subject to surrender evidence
65
Q
Search warrant
A
- when you need to confiscate evidence w/o giving subject the opportunity to alter it
66
Q
Data retention
A
- ensure critical logs are retained for a reasonable period of time based on sec policy/ regulatory requirements, can be maintained in place or in archives
67
Q
Best evidence
A
- original
68
Q
Secondary evidence
A
- copy
69
Q
Direct evidence
A
- proves or disproves an act based on the 5 senses ie something seen or heard in the 1st person
70
Q
Conclusive evidence
A
- cannot be disproven, overrides all other types
71
Q
Circumstantial evidence
A
- inferred from other info, often comes up in financial crimes
72
Q
Corroborative evidence
A
- supporting evidence that cannot stand on its own
73
Q
Opinions (evidence)
A
- expert and non-expert
74
Q
Hearsay (evidence)
A
- not based on first hand knowledge
75
Q
Evidence admissibility
A
- must be relevant to the case, must be material to the case, must be competent or legally collected, must comply with traditional notions of reliability ie court is satisfied with handling and type of evidence
76
Q
Real evidence
A
- consists of ACTUAL objects that can be brought into a courtroom
77
Q
Documentary evidence
A
- consists of written documents that provide insight into the facts
78
Q
Testimonial evidence
A
- consists of verbal or written statements made by witnesses
79
Q
Evidence collection
A
- start as soon as incident is discovered, collect as much evidence as possible, can be used in legal action or in finding attacker identity, determine extent of damage
80
Q
Natural disasters
A
- earthquakes, floods, tornados, etc. can be location specific ie hurricanes by the coast
81
Q
Man made disasters
A
- explosions, electrical fires, terrorist acts, power outages, other utility failures
82
Q
Hot site
A
- “proactive” site, replication of production environment, keep servers and a live backup site up and running, allows for IMMEDIATE cutover in case of disaster, is a MUST for mission critical sites, HIGH COST LOW EFFORT
83
Q
Warm site
A
- “preventative” site, allows pre-installed hardware and pre-configured bandwidth, if disaster strikes just load software and data to restore business systems MEDIUM COST MEDIUM EFFORT
84
Q
Cold site
A
- just data center space, power, network connectivity. Ready when you need it. If disaster strikes, engineering and logistical support teams can help move hardware into the data center to get you up and running, LOW COST HIGH EFFORT
85
Q
Service Bureau
A
- company that leases computer time, own large server farms and often fields of workstations, may be onsite or remote
86
Q
Mobile site
A
- non-mainstream alternative to traditional recovery sites, consist of self-contained trailers or other easily relocated units
87
Q
Recovery point objective (RPO)
A
- age of files that have to be recovered from backup storage for normal ops to resume if a system or network goes down
88
Q
Recovery time objective (RTO)
A
- duration of time and service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity
89
Q
Mutual Assistance Agreements (MAAs)
A
- entities agree to provide assistance to each other before during and after an emergency, inexpensive alternative to disaster recovery sites, can happen between gov agencies often, CONS: orgs may be shut down by same disaster and this does raise confidentiality concerns, difficult to enforce if one side lets the other down
90
Q
Business continuity planning
A
- STEPS: Project scope and planning > business impact assessment > continuity planning > approval and implementation. GOAL: efficient response to enhance a companys ability to recover from a disruptive event promptly
91
Q
BCP (business continuity plan)
A
- organizational plan for HOW TO continue business
92
Q
COOP (Continuity of operations plan)
A
- plan for continuing to do business until IT infrastructure is restored
93
Q
DRP (Disaster recovery plan)
A
- plan for recovering from an IT disaster and having the IT infrastructure back in operation
94
Q
BRP (business resumption plan)
A
- plan to move from the disaster recovery site back to business environment/ back to normal operations
95
Q
MTBF (mean time between failures)
A
- time determination for how long a piece of IT infrastructure will continue to work before it fails
96
Q
MTTR (mean time to repair)
A
- how long it takes to get a piece of hardware/ software repaired and back online
97
Q
MTD (max tolerable downtime)
A
- time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate the DRP
98
Q
Goals of DR and BCP
A
- minimize effects of a disaster, improving responsiveness by the employees in different situations, ease confusion by providing written procedures and participation in drills, help make logical decisions during a crisis/ extreme stress
99
Q
Read through test
A
- distribute copies of DRP for members of the disaster recovery team to review
100
Q
Structured walk-through test (tabletop exercise)
A
- members of the disaster recovery team gather in a large conference room and role play a disaster scenario AKA tabletop exercise, scenario is known only to the moderator
101
Q
Simulation test
A
- similar to structured walkthrough, except response measures are then tested on NON-CRITICAL FUNCTIONS
102
Q
Parallel test
A
- relocate personnel to alternate recovery site and implement site activation procedures. Employees perform DRP responsibilities
103
Q
Full interruption test
A
- shutting down ops at primary site and using the backup/ recovery site
104
Q
Recovery team
A
- get critical business functions running at alternate site
105
Q
Salvage team
A
- returns primary site to normal processing conditions
106
Q
Electronic vaulting
A
- transfer database backups to a remote site as part of a bulk transfer
107
Q
Remote journaling
A
- transmitting journal/ transaction logs to the off site facility (not actual files)
108
Q
Remote mirroring
A
- live database server is maintained at the backup site, most advanced database backup solution (most expensive backup strategy)
109
Q
Non-disaster (disruption category)
A
- disruption is service from malfunction or user error
110
Q
Disaster (disruption category)
A
- whole facility unusable for a day or longer
111
Q
Catastrophe (disruption category)
A
- major disruption that destroys facility altogether, requires short and long term solution
112
Q
Uniform Computer
Information
Transactions Act
(UCITA)
A
Common framework for the conduct of computer-related
business transactions. A federal law Eg. Use of software
licensing
