Domain 7: Security Operations Flashcards
Continuity Planning Subtasks (5)
Strategy Development, Provisions and Processes ,Plan Approval, Plan Implementation, Training and Education
Strategy Devlopment
Bridges gap btwn BIA and Continuity Planning in BCP - determines which risks are acceptable which must be mitigated
Provisions and Processes
specific procedures and mechanisms that will mitigate the risk deemed unacceptable
Three Categories of assets in BCP Provisions and Processes
People, Buildings/Facilities, Infrasctructure
Important Components of a Written BCP (11)
Continuity Planning Goals, Statement of Importance, Statement of Priorities, Statement of Organizational Responsibility, Statement of Urgency and Timing, Risk Assessment, Risk Acceptance/Mitigation, Vital Records Program, Emergency Response Guidelines, Maintenance, Testing and Exercise
Importance of a Written BCP (3)
Historical Benefit, Sanity Check, Reference document
Entitlement
amount of privileges granted to users
Aggregation
amount of privileges that users collect over time
Transitive Trust
extends the trust between two security domains to all their sub domains
Common methods for managing security in the information life cycle
Marking Data, Handling data, storing Data, Destroying Data
SLA
Service level agreement - agreement between and org and vendor that stipulated performance expectations
MOU
documents the intent of two entities to work together toward a common goal
ISA
info on how the two parties establish, maintain, and disconnect the connection
Virtual Machines
run as guest OSs on physical servers
SDNs
Software Defined Networks - uses simple network devices other than routers and switches
VSANs
Virtual Storage Area Networks - virtual dedicated high speed network that hosts multiple storage devices
What is the primary software component in virtualization?
Hypervisor
Hypervisor
managers the VMs, virtual data storage, and virtual network components
Cloud Computing
on demand access to computing resources from almost anywhere
SaaS
Software as a Service - fully functional applications (Google Docs), Consumes do not manage or control any assets
PaaS
Platform as a Service - computing platform (hw, OS, application), consumers manager the applications and maybe some config settings
IaaS
Infrastructure as a Service - servers, storage, networking resources, consumers install OS and applications and perform all maintenance
What are the 4 cloud models?
Public, Private, Hybrid, and Community
Public Cloud Model
assets available for any consumer to rent or lease
Private Cloud Model
assets are for a single organization
Community Cloud Model
assets are provided to two or more organizations
Baseline
starting point for configuration of a system
Unauthorized Changes Directly affect the __ in the CIA triad
Availability
Vulnerability Management
regularly identifying, evaluating and mitigating vulnerabilities
CVE
common vulnerability and exposure - dictionary for a standard convention in identifying vulnerabilities
Incident
Any event that has a negative effect on the CIA of an org’s asset
Computer Security Incident
an incident that is a result of an attack
Incident Response Steps
Detection, Response, Mitigation, Reporting, Recovery, Remediation, Lessons Learned
DoS Attacks
attacks that prevent a system from processing or responding to legitimate traffic or requests
DDoS
DoS attack using multiple attack systems
DRDoS
Distributed Reflective DoS, doesn’t attack victim directly, manipulates traffic to reflect attacks back
SYN Flood attack
sends multiple SYN flags, never completed conversation
Smurf Attack
floods the victim with ICMP echo packets
Fraggle Attacks
floods victims with UDP Packets over port 7 and 19
Ping Flood Attack
floods a victim with ping requests
Ping-of-death Attack
send oversized ping packet
Teardrop Attack
attacker fragments traffic in such a way that a system is unable to put data packets back together
Land Attack
attacker sends spoofed SYN packets suing the victims IP address as source and destination
Zero-day Exploit
attack on a system exploiting an unknown vulnerability
Malicious Code
any script or program that performs an unwanted, unauthorized, or unknown activity
Drive-by Download
code downloaded and installed on a user’s system without their knowledge
Man in the Middle Attack
attacker gains a logical position between two endpoints of communication
War Dialing
using a modem to search for a system that accepts inbound comms attempts, newer forms use VoIP
Knowledge Based Detection
signature or pattern based, uses database of known attacks
Behavior Based Detection
heuristics or anomaly based, creates a baseline of normal
Passive vs Active IDS Response
Passive is notifications, active modifies the environment
Darknet
Portion of allocated IP addresses within a network that are not used
Pseudo Flaws
false vulnerabilities intentionally implanted in a system to tempt attackers
Padded Cells
similar to honeypot but performs intrusion isolation
Whitelisting
Identifies list of apps authorized to run
Blacklisting
Identified list of apps unauthorized to run
Logging
process of recording info about events to a log file or database
Monitoring
process of reviewing information logs looking for something specific
Log Analysis
detailed and systematic form of monitoring
SIEM
Security Information and Event Management - provide real time analysis of events
Sampling
process of extracting specific elements from a large collection of data to construct something meaningful
Clipping
form of nonstatistical sampling
Egress Monitoring
monitoring outgoing traffic to prevent data exfiltration
What are the two primary types of DLP systems?
Network based and endpoint based
Network Based DLP
scans all outgoing data looking for specific data
Endpoint-based DLP
scans filed stored on the system as well as files sent to external devices (printers, flash drives, etc)
Disaster Recover Planning steps in where ___ leaves off
BCP
Single Point of Failure
any component that can cause an entire system to fail
Fault Tolerance
the ability of a system to suffer a fault but continue to operate
System Resilence
the ability of a system to maintain an acceptable level of service during an adverse event
RAID-0
Striping, uses two or more disks and improves disk performance but does not provide fault tolerance
RAID-1
Mirroring - uses two disks which both hold the same data
RAID-5
Striping with Parity - uses three or more disks, provides fault tolerance but system will operate slower
RAID-10
aka RAID 1 +0, a stripe of mirrors, two or more mirrors configured in a stripe
UPS
Uninterruptible Power Supply, provides btwn 5 and 30 min of power
Fail Secure System
systems will default to a secure state in the event of a failure
Fail Open System
fails to an open state, granting all access
4 Types of Trusted Recovery
Manual Recovery, Automated Recovery, Automated Recovery without Undue Loss, Function Recovery
Function Recovery
automatically recover specific functions
Manual Recovery
does not fail in secure state, admin manually takes actions for a secured or trusted recovery
Automated Recovery
system performs trusted recovery activities to restore itself against at least one type of failure
Automated Recovery without Undue Loss
system performs trusted recovery activities to restore itself against at least one type of failure + specific objects are protected against loss
Bandwidth
network capacity available to carry communications
Latency
time it takes a packet to travel from source to destination
JItter
variation in latency between different packets
The DRP team must first __________
identify the high priority business units
Cold Sites
standby facilities with HVAC, power, etc and nothing else, takes weeks to set up
Hot site
up to date data and facilities, may be ready instantaneously
Warm Sites
contains equipment and data circuits, usually 12-24 hours to activate
Service Bureau
Company that leases computer time, owns large server farms
MAAs
Mutual Assistance Agreements - two orgs pledge to assist each other
Electronic Vaulting
database backups are moved to a remote site using bulk transfers
Remote Journaling
data transfers are performed more frequently (once/hour)
Remote Mirroring
live database server is maintained at the backup site
Full Backups
complete copy, resets archive bit
Incremental Backups
copy only files that have been modified since the last full or incremental backup, resets archive bit
Differential Backups
copy all files modified since last full backup, does not reset archive bit
Software Escrow Arangements
third party sw developer provides copies of source code to another organization - in case they do not continue support or shut down
Recovery vs Restoration
Recovery is short time frame, implement and maintain operations at the recovery site. Restoration restores primary site to operational capacity
3 goals of a Read-through test
ensures you have key personnel aware of roles, provides individuals an opportunity to review the plans and update, update personnel who have left
Structured Walk Through
table top exercise - role play scenario
Simulation Test
structured walk through + testing of scenarios
Parallel Test
relocate personnel to alternate site and implement site activation procedures
Full-Interruption Test
shut down operations at the primary site and shifting them to the recovery site
Operational Investigations
examine issues related to the organization’s computing infrastructure and have the primary goal of resolving operational issues
Criminal Investigations
may result in charging suspects with a crime
Regulatory Investigations
when the government believes that an individual or corporation has violated administrative law
9 Steps of Electronic Discovery
Information Governance, Identification, Preservation, Collection, Processing, Review, Analysis, Production, Presentation
What are the 3 requirements of admissible evidence?
relevant, related (Material) to the case, competent (obtained legally)
Real Evidence
physical evidence
Documentary Evidence
written items
Testimonial Evidence
testimony of a witness
Media Analysis
identification and extraction of information from storage media
Network Analysis
activity over network
Hardware/Embedded Device Analysis
review the contents of hw and embedded devices
Military and Intelligence Attacks
launched to obtain secret and restricted information from law enforcement or military
Business Attacks
illegally obtaining an org’s confidential information
Financial Attacks
unlawfully obtain money or services
Grudge Attacks
attacks carried out to damage an org or person
Thrill Attacks
script kiddies, often for the fun of it
Event
any occurrence that takes place during a certain period of time
Incident
An event that has a negative outcome affecting the CIA
Scanning
similar to a burglar casing a neighborhood
Compromise
any unauthorized access to the system of information the system stores
CIRT
computer incident response team
3 Step Incident Response Process
- Detection and Identification
- Response and Reporting
- Recover and Remediation
- Detection and Identification
detect security incident and notify appropriate personnel
- Response and Reporting
Isolation and Containment, Gathering Evidence
- Recovery and Restoration
restore environment to normal operating state and complete a lessons learned process
5 rules of digital evidence
authentic, accurate, convincing, complete, admissable
