Domain 7 - Security Operations Flashcards
These allow access to objects such as files.
Permissions
These refer to the ability to take actions.
Rights
the combination of both rights and permissions.
Privileges
This imposes the requirement to grant users access only to data or resources they need to perform assigned work tasks.
need to know principle. data = need to know
This states that subjects are granted only the privileges necessary to perform assigned work tasks and no more.
principle of least privilege. actions = least privilege
This refers to the amount of privileges g t ranted to users, typically when first provisioning an account. In other words, when administrators create user accounts, they ensure the accounts are provisioned with the appropriate amount of resources, and this includes privileges.
Entitlement
In the context of least privilege, this refers to the amount of privileges that users collect over time. For example, if a user moves from one department to another while working for an organization, this user can end up with privileges from each department.
Aggregation
This extends the trust relationship between the two security domains to all of their subdomains. Within the context of least privilege, it’s important to examine these trust relationships, especially when creating them between different organizations.
Transitive Trust
This ensures that no single person has total control over a critical function or system. This is necessary to ensure that no single person can compromise the system or its security. Instead, two or more people must conspire or collude against the organization, which increases the risk for these people.
Separation of duties
These models provide fully functional applications typically accessible via a web browser. For example, Google’s Gmail
Software as a Service (SaaS)
These models provide consumers with a computing platform, including hardware, an operating system, and applications. In some cases, consumers install the applications from a list of choices provided by the CSP. Consumers manage their applications and possibly some configuration settings on the host. However, the CSP is responsible for maintenance of the host and the underlying cloud infrastructure.
Platform as a Service (PaaS)
These models provide basic computing resources to consumers. This includes servers, storage, and in some cases, networking resources. Consumers install operating systems and applications and perform all required maintenance on the operating systems and applications. The CSP maintains the cloud-based infrastructure, ensuring that consumers have access to leased systems.
Infrastructure as a Service (IaaS)
What are the 5 steps involved in managing a computer security incident response.
Response, Mitigation, Reporting, Recovery, Remediation
This examines the incident to determine what allowed it to happen. For example, if attackers successfully accessed a database through a website, personnel would examine all the elements of the system to determine what allowed the attackers to succeed.
root cause analysis
Attacks that prevent a system from processing or responding to legitimate traffic or requests for resources and objects.
Denial-of-service (DoS) attacks
This is a common DoS attack. It disrupts the standard three-way handshake used by TCP to initiate communication sessions.
SYN flood attack
This is another type of flood attack, but it floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets. More specifically, it is a spoofed broadcast ping request using the IP address of the victim as the source IP address.
smurf attack
These are similar to smurf attacks. However, instead of using ICMP, this attack uses UDP packets over UDP ports 7 and 19. This attack will broadcast a UDP
packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim, just as with a smurf attack.
Fraggle attacks
This floods a victim with ping requests. This can be very effective when launched by zombies within a botnet as a DDoS attack.
ping flood attack
This attack employs an oversized ping packet. Ping packets are normally 32 or 64 bytes, though different operating systems can use other sizes. This attack changed the size of ping packets to over 64 KB, which was bigger than many systems could handle. When a system received a ping packet larger than 64 KB, it resulted in a problem. In some cases
the system crashed.
ping-of-death attack
An attacker fragments traffic in such a way that a system is unable to put data packets back together.
teardrop attack
This occurs when the attacker sends spoofed SYN packets to a victim using the victim’s IP address as both the source and destination IP address. This tricks the system into constantly replying to itself and can cause it to freeze, crash, or reboot.
land attack
This refers to an attack on a system exploiting a vulnerability that is unknown to others.
zero-day exploit
Any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.
Malicious code
code downloaded and installed on a user’s system without the user’s knowledge.
drive-by download
This attack occurs when a malicious user is able to gain a position logically between the two endpoints of an ongoing communication.
man-in-the-middle
This means using a modem to search for a system that accepts inbound connection attempts.
War dialing
This is the most common method of detection. It uses a
database of known attacks developed by the IDS vendor.
Knowledge-based Detection
This type of detection starts by creating a baseline of normal activities and events on the system. Once it has accumulated enough baseline data to determine normal activity, it can detect abnormal activity that may indicate a malicious intrusion or event.
Behavior-based Detection
A portion of allocated IP addresses within a network that are not used. It includes one device configured to capture all the traffic into this area of the network. Since the IP addresses are not used, it does not have any other hosts and it should not have any traffic at all.
a darknet
An individual computers created as a trap for intruders.
Honeypots
Two or more networked honeypots used together to simulate a network.
honeynet
false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers. They are often used on honeypot systems to emulate
well-known operating system vulnerabilities. Attackers
Pseudo flaws
This system is similar to a honeypot, but it performs intrusion isolation using a different approach. When an IDS detects an intruder, that intruder is automatically transferred to this system. It has the look and feel of an actual network, but the attacker is unable to perform any malicious activities or access any confidential data from within this location.
A padded cell
A zero-knowledge team knows nothing about the target site except for publicly available information, such as domain name and company address.
Black-Box Testing
A full-knowledge team has full access to all aspects of the target environment. They know what patches and upgrades are installed, and the exact configuration of all relevant devices. If the target is an application, they would have access to the source code.
White-Box Testing
A partial-knowledge team that has some knowledge of the target performs gray-box testing, but they are not provided access to all the information.
Gray-Box Testing
the process of extracting specific elements from a large collection of data to construct a meaningful representation or summary of the whole.
Sampling
This is a form of nonstatistical sampling. It selects only events that exceed a level , which is a predefined threshold for the event. The system ignores events until they reach this threshold.
Clipping
This refers to monitoring outgoing traffic to prevent data ex-filtration, which is the unauthorized transfer of data outside the organization.
Egress monitoring
the practice of embedding a message within a file. For example, individuals can modify bits within a picture file to embed a message.
Steganography
the records created by recording information about events and occurrences into one or more databases or log files. They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability.
Audit trails
any component that can cause an entire system to fail.
single point of failure
the ability of a system to suffer a fault but continue to operate.
Fault tolerance
refers to the ability of a system to maintain an acceptable level of service during an adverse event.
System resilience
This is also called striping. It uses two or more disks and improves the disk subsystem performance, but it does not provide fault tolerance.
RAID-0
This is also called mirroring. It uses two disks, which both hold the same data. If one disk fails, the other disk includes the data so a system can continue to operate after a single disk fails.
RAID-1
This is also called striping with parity. It uses three or more disks with the equivalent of one disk holding parity information. If any single disk fails, the RAID array will continue to operate, though it will be slower.
RAID-5
This is also known as RAID 1 + 0 or a stripe of mirrors, and is configured as two or more mirrors (RAID-1) configured in a striped (RAID-0) configuration. It uses at
least four disks but can support more as long as an even number of disks are added. It will continue to operate even if multiple disks fail, as long as at least one drive in each mirror continues to function.
RAID-10
a quick instance of an increase in voltage
spike
a quick instance of a reduction in voltage.
sag
when voltage remains low for a long period of time
brownout
If power stays high for a long period of time, it’s called
surge
system will default to a secure state in the event of a failure, blocking all access.
fail-secure
system will fail in an open state, granting all access.
fail-open
Four types of trusted recovery that is relevant to system resilience and listed in Common Criteria
Manual Recovery, Automated Recovery, Automated Recovery without Undue Loss, Function Recovery
If a system fails, it does not fail in a secure state. Instead, an administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or system crash.
Manual Recovery
The system is able to perform trusted recovery activities to restore itself against at least one type of failure. For example, a hardware RAID provides automate drecovery against the failure of a hard drive but not against the failure of the entire server. Some types of failures will require manual recovery.
Automated Recovery
This is similar to automated recovery in that a system can restore itself against at least one type of failure. However, it includes mechanisms to ensure that specific objects are protected to prevent their loss. An example would include steps to restore data or other
objects. It may include additional protection mechanisms to restore corrupted files, rebuild data from transaction logs, and verify the integrity of key system and security components.
Automated Recovery without Undue Loss
Systems that support function recovery are able to automatically recover specific functions. This state ensures that the system is able to successfully complete the recovery for the functions, or that the system will be able to roll back the changes to
return to a secure state.
Function Recovery
The network capacity available to carry communications.
Bandwidth
The time it takes a packet to travel from source to destination.
Latency
The variation in latency between different packets.
Jitter
Some packets may be lost between source and destination, requiring retransmission.
Packet Loss
Electrical noise, faulty equipment, and other factors may corrupt the contents of packets.
Interference
standby facilities large enough to handle the processing load of an organization and equipped with appropriate electrical and environmental support systems. They have no computing facilities (hardware or software) preinstalled and also has no active broadband communications links.
Cold sites
a backup facility is maintained in constant working order, with a full complement of servers, workstations,
and communications links ready to assume primary operations responsibilities. The servers and workstations are all preconfigured and loaded with appropriate operating system and application software. The data is periodically or continuously updated.
hot site
These sites always contain the equipment and data circuits necessary to rapidly establish operations. This equipment is usually preconfigured and ready to run
appropriate applications to support an organization’s operations. However, they do not typically contain copies of the client’s data
warm sites
Activation of this type of site usually takes at least 12 hours from the time a disaster is declared.
warm sites
a company that leases computer time. They own large server farms and often fields of workstations. Any organization can purchase a contract from them to consume some portion of their processing capacity. Access can be on site or remote.
service bureau
two organizations pledge to assist each other in the event of a disaster by sharing computing facilities or other technological resources.
Mutual assistance agreements (MAAs)
database backups are moved to a remote site using bulk transfers. The remote location may be a dedicated alternative recovery site (such as a hot site) or simply an offsite location managed within the company or by a contractor for the purpose of maintaining backup data.
electronic vaulting; keyword is batch sending of data. for example every hour.
data transfers are performed in a more expeditious manner. Data transfers still occur in a bulk transfer mode, but they occur on a more frequent basis, usually
once every hour and sometimes more frequently. Unlike electronic vaulting scenarios, where entire database backup files are transferred, these setups transfer copies of the database transaction logs containing the transactions that occurred since the previous bulk transfer.
remote journaling- keyword transaction logs
the most advanced database backup solution and the most expensive! A live database server is maintained
at the backup site. The remote server receives copies of the database modifications at the same time they are applied to the production server at the primary site. Therefore, the remote server is ready to take over an operational role at a moment’s notice.
Remote mirroring
These store a complete copy of the data contained
on the protected device. They duplicate every file on the system regardless of the setting of the archive bit. Once it is complete, the archive bit on every file is
reset, turned off, or set to 0.
Full Backups
These store only those files that have been modified
since the time of the most recent full or incremental backup. Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. Once it is complete,
the archive bit on all duplicated files is reset, turned off, or set to 0.
Incremental Backups
These store all files that have been modified since the
time of the most recent full backup. Only files that have the archive bit turned on, enabled,or set to 1 are duplicated. However they doe not change the archive bit.
Differential Backups
one of the simplest tests to conduct, but it’s also one of the most critical. In this test, you distribute copies of disaster recovery plans to the members of the disaster recovery team for review.
read-through test
In this type of test, often referred to as a table-top exercise , members of the disaster recovery team gather in a large conference room and role-play a disaster scenario. Usually, the exact scenario is known only to the test moderator, who presents the details to the team at the meeting. The team members then refer to their copies of the disaster recovery plan and discuss the appropriate responses to that particular type of disaster.
structured walk-through
In these tests, disaster recovery team members are presented with a scenario and asked to develop an appropriate response. Some of these response measures are then tested. This may involve the interruption of noncritical business activities and the use of some operational personnel.
Simulation tests
These tests involve relocating personnel to the alternate recovery site and implementing site activation procedures. The employees relocated
to the site perform their disaster recovery responsibilities just as they would for an actual
disaster. The only difference is that operations at the main facility are not interrupted. That site retains full responsibility for conducting the day-to-day business of the organization.
Parallel tests
These tests operate like parallel tests, but they involve actually shutting down operations at the primary site and shifting them to the recovery site. For obvious reasons, these tests are extremely difficult to arrange, and you often encounter resistance from management.
Full-interruption tests
3 requirements to be admissible evidence
Must be relevant to determining a fact, must be material or related to the case, and must be competent or obtained legally
This type of evidence consists of things that may actually be brought into a court of law. In common criminal proceedings, this may include items such as a murder weapon, clothing, or other physical objects. In a computer crime case, it might include seized computer equipment, such as a keyboard with fingerprints on it or a hard drive from a hacker’s computer system.
Real evidence
This type of evidence includes any written items brought into court to prove a fact at hand. This type of evidence must also be authenticated. For example,
if an attorney wants to introduce a computer log as evidence, they must bring a witness (for example, the system administrator) into court to testify that the log was collected as a routine business practice and is indeed the actual log that the system collected.
Documentary evidence
This type of evidence is, quite simply, evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.
Testimonial Evidence
a branch of computer forensic analysis, involves the
identification and extraction of information from storage media.
Media Analysis
Forensic investigators are also often interested in the activity that tookplace over the network during a security incident. This is often difficult to reconstruct due to the volatility of network data—if it isn’t deliberately recorded at the time it occurs, it generally is not preserved.
Network Analysis
What are the three-steps of an incident response process
Detection and identification, Response and reporting, Recovery and remediation
The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
The Code of Ethics preamble
List the four Code of Ethics canons
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
a crime (or violation of a law or regulation) that is directed against, or directly involves, a computer.
Computer crime
list the six categories of computer crimes.
military and intelligence attack, business attack, financial attack, terrorist attack, grudge attack, and thrill attack.
Group of servers that are managed as a single logical system.
Server clustering. Note: not all clusters do load balancing.
