Domain 7 - Security Operations Flashcards
These allow access to objects such as files.
Permissions
These refer to the ability to take actions.
Rights
the combination of both rights and permissions.
Privileges
This imposes the requirement to grant users access only to data or resources they need to perform assigned work tasks.
need to know principle. data = need to know
This states that subjects are granted only the privileges necessary to perform assigned work tasks and no more.
principle of least privilege. actions = least privilege
This refers to the amount of privileges g t ranted to users, typically when first provisioning an account. In other words, when administrators create user accounts, they ensure the accounts are provisioned with the appropriate amount of resources, and this includes privileges.
Entitlement
In the context of least privilege, this refers to the amount of privileges that users collect over time. For example, if a user moves from one department to another while working for an organization, this user can end up with privileges from each department.
Aggregation
This extends the trust relationship between the two security domains to all of their subdomains. Within the context of least privilege, it’s important to examine these trust relationships, especially when creating them between different organizations.
Transitive Trust
This ensures that no single person has total control over a critical function or system. This is necessary to ensure that no single person can compromise the system or its security. Instead, two or more people must conspire or collude against the organization, which increases the risk for these people.
Separation of duties
These models provide fully functional applications typically accessible via a web browser. For example, Google’s Gmail
Software as a Service (SaaS)
These models provide consumers with a computing platform, including hardware, an operating system, and applications. In some cases, consumers install the applications from a list of choices provided by the CSP. Consumers manage their applications and possibly some configuration settings on the host. However, the CSP is responsible for maintenance of the host and the underlying cloud infrastructure.
Platform as a Service (PaaS)
These models provide basic computing resources to consumers. This includes servers, storage, and in some cases, networking resources. Consumers install operating systems and applications and perform all required maintenance on the operating systems and applications. The CSP maintains the cloud-based infrastructure, ensuring that consumers have access to leased systems.
Infrastructure as a Service (IaaS)
What are the 5 steps involved in managing a computer security incident response.
Response, Mitigation, Reporting, Recovery, Remediation
This examines the incident to determine what allowed it to happen. For example, if attackers successfully accessed a database through a website, personnel would examine all the elements of the system to determine what allowed the attackers to succeed.
root cause analysis
Attacks that prevent a system from processing or responding to legitimate traffic or requests for resources and objects.
Denial-of-service (DoS) attacks
This is a common DoS attack. It disrupts the standard three-way handshake used by TCP to initiate communication sessions.
SYN flood attack
This is another type of flood attack, but it floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets. More specifically, it is a spoofed broadcast ping request using the IP address of the victim as the source IP address.
smurf attack
These are similar to smurf attacks. However, instead of using ICMP, this attack uses UDP packets over UDP ports 7 and 19. This attack will broadcast a UDP
packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim, just as with a smurf attack.
Fraggle attacks
This floods a victim with ping requests. This can be very effective when launched by zombies within a botnet as a DDoS attack.
ping flood attack
This attack employs an oversized ping packet. Ping packets are normally 32 or 64 bytes, though different operating systems can use other sizes. This attack changed the size of ping packets to over 64 KB, which was bigger than many systems could handle. When a system received a ping packet larger than 64 KB, it resulted in a problem. In some cases
the system crashed.
ping-of-death attack
An attacker fragments traffic in such a way that a system is unable to put data packets back together.
teardrop attack
This occurs when the attacker sends spoofed SYN packets to a victim using the victim’s IP address as both the source and destination IP address. This tricks the system into constantly replying to itself and can cause it to freeze, crash, or reboot.
land attack
This refers to an attack on a system exploiting a vulnerability that is unknown to others.
zero-day exploit
Any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.
Malicious code
code downloaded and installed on a user’s system without the user’s knowledge.
drive-by download
This attack occurs when a malicious user is able to gain a position logically between the two endpoints of an ongoing communication.
man-in-the-middle
This means using a modem to search for a system that accepts inbound connection attempts.
War dialing
This is the most common method of detection. It uses a
database of known attacks developed by the IDS vendor.
Knowledge-based Detection
This type of detection starts by creating a baseline of normal activities and events on the system. Once it has accumulated enough baseline data to determine normal activity, it can detect abnormal activity that may indicate a malicious intrusion or event.
Behavior-based Detection
A portion of allocated IP addresses within a network that are not used. It includes one device configured to capture all the traffic into this area of the network. Since the IP addresses are not used, it does not have any other hosts and it should not have any traffic at all.
a darknet
An individual computers created as a trap for intruders.
Honeypots
Two or more networked honeypots used together to simulate a network.
honeynet
false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers. They are often used on honeypot systems to emulate
well-known operating system vulnerabilities. Attackers
Pseudo flaws
This system is similar to a honeypot, but it performs intrusion isolation using a different approach. When an IDS detects an intruder, that intruder is automatically transferred to this system. It has the look and feel of an actual network, but the attacker is unable to perform any malicious activities or access any confidential data from within this location.
A padded cell
A zero-knowledge team knows nothing about the target site except for publicly available information, such as domain name and company address.
Black-Box Testing
A full-knowledge team has full access to all aspects of the target environment. They know what patches and upgrades are installed, and the exact configuration of all relevant devices. If the target is an application, they would have access to the source code.
White-Box Testing
A partial-knowledge team that has some knowledge of the target performs gray-box testing, but they are not provided access to all the information.
Gray-Box Testing