Domain 7: Security Operations Flashcards
Preparation
These include training, writing incident response policies and procedures, providing tools such as laptops with sniffing software, crossover cables, original OS media, removable drives, etc. Preparation should include anything that may be required to handle an incident, or which will make incident response faster and more effective.
Detection
Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident
Response
The response phase (aka containment) of incident response is the point at which the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. Responses might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident
The mitigation phase
involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase
Reporting
Reporting must begin immediately upon detection of malicious activity. Reporting contains two primary areas of focus: technical and non-technical reporting. The incident handling teams must report the technical details of the incident as they begin the incident handling process, while maintaining sufficient bandwidth to also notify management of serious incident
Recovery
The recovery phase involves cautiously restoring the system or systems to operational status. Typically, the business unit responsible for the system will dictate when the system will go back online
Remediation
Remediation steps occur during the mitigation phase, where vulnerabilities within the impacted system or systems are mitigated
four types of IDS
True Positive
True Negative
• False Positive
False Negative:
True Positive
Conficker worm is spreading on a trusted network, and NIDS alerts
True Negative
User surfs the Web to an allowed site, and NIDS is silent
False Positive
User surfs the Web to an allowed site, and NIDS alerts
False Negative:
Conficker worm is spreading on a trusted network, and NIDS is silent
Difference between active NIDS AND NIPS
. Architecturally, an active response NIPS is like the NIDS in Figure 8.5; the difference is the monitoring interface is read/write.N
Tripwire
Tripwire protects system integrity by detecting changes to critical operating system files. Changes are detected through a variety of methods, including comparison of cryptographic hashes.
Pattern Matching
works well for detecting known attacks, but usually does poorly against new attacks.
The Security Information and Event Management (SIEM) is the primary tool used to
ease the correlation of data across disparate sources.
Typical challenges associated with endpoint security are associated
with volume considerations: vast number of products/systems must be managed; significant data must be analyzed and potentially retained.
Application whitelisting is superior to application
blacklisting
A honeypot
is a system designed to attract attackers. This allows information security researchers and network defenders to better analyze network-based attacks. Honeypots have no production value beyond research.
Low-interaction honeypots
usually by scripting network actions (such as simulating network services by displaying banners)
High-interaction honeypots
run actual operating systems, in hardware or virtualized
honeynet
Honeynets can include a honeywall (honeynet firewall) that is intended to limit the likelihood of the honeynet being used to attack other systems.
Security baselining
is the process of capturing a point in time understanding of the current system security configuration.
The three basic types of backups are
full backup, incremental backup and differential backup.
Incremental backups
only archive files that have changed since the last backup of any kind was performed.
. Though the time to perform each incremental backup is extremely short, the downside is that a full restore can require quite a few tapes, especially if full backups are performed less frequently
Differential
Another approach to data backup is the differential backup method. While the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup.
Incremental backups
Incremental backups only archive files that have changed since the last backup of any kind was performed
differential backup
While the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup.
RAID
The goal of a Redundant Array of Inexpensive Disks (RAID) is to help mitigate the risk associated with hard disk failures.
Three critical RAID terms are:
mirroring, striping and parity.
Mirroring
is the most obvious and basic of the fundamental RAID concepts, and is simply used to achieve full data redundancy by writing the same data to multiple hard disks
Striping
s a RAID concept that is focused on increasing the read and write performance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk. This parallelization provides a performance increase, but does not aid in data redundancy.
Parity
s a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.
RAID 0
RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID
RAID 1
This level of RAID is perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk. The write performance is decreased, though the read performance can see an increase. Disk cost is one of the most troubling aspects of this level of RAID, as at least half of all disks are dedicated to redundancy
RAID 3
Striping is desirable due to the performance gains associated with spreading data across multiple disks. However, striping alone is not as desirable due to the lack of redundancy. With RAID 3, data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.
RAID 4
RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level. Like RAID 3, RAID 4 employs a dedicated parity drive.
RAID 5
One of the most popular RAID configurations is that of RAID 5, Striped Set with Distributed Parity. Again with RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages block level striping. Like RAIDs 3 and 4, RAID 5 writes parity information that is used for recovery purposes. However, unlike RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 distributes the parity information across multiple disks. One of the reasons for RAID 5’s popularity is that the disk cost for redundancy is lower than that of a Mirrored set. Another important reason for this level’s popularity is the support for both hardware and software based implementations, which significantly reduces the barrier to entry for RAID configurations. RAID 5 allows for data recovery in the event that any one disk fails
active-active configuration
high-availability clusters is whether each node of a HA cluster is actively processing data in advance of a failure.
active-passive
hot standby, configuration in which the backup systems only begin processing when a failure state is detected
Business Continuity Planning provides the …… strategic business oriented plan for continued operation after a disruptive event, the Disaster Recovery Plan is more tactical in its approach
long-term
Disaster Recovery Planning is considered ……rather than strategic and provides a means for immediate response to disasters. The DRP does not focus on long-term business impact in the same fashion that a BCP does
tactical
The Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the ………
Disaster Recovery Plan
The Business Impact Analysis (BIA)
is the formal method for determining how a disruption to the IT system(s) of an organization will impact the organization’s requirements, processes, and interdependencies with respect the business mission. [19] It is an analysis to identify and prioritize critical IT systems and components. It enables the BCP/DRP project manager to fully characterize the IT contingency requirements and priorities. [20] The objective is to correlate the IT system components with the critical service it supports. It also aims to quantify the consequence of a disruption to the system component and how that will affect the organization
The primary goal of the BIA
is to determine the Maximum Tolerable Downtime (MTD) for a specific IT asset.
the BIA is comprised of two processes.
First, identification of critical assets must occur. Second, a comprehensive risk assessment is conducted.
Maximum Tolerable Downtime (MTD)
which describes the total time a system can be inoperable before an organization is severely impacted.
Reconstitution is the process
of moving an organization from the disaster recovery to business operations.
The Recovery Point Objective (RPO)
is the amount of data loss or system inaccessibility (measured in time) that an organization can withstand.
The Recovery Time Objective (RTO)
describes the maximum time allowed to recover business or IT systems.
Work Recovery Time (WRT)
escribes the time required to configure a recovered system. “Downtime consists of two elements, the systems recovery time and the work recovery time
Mean Time Between Failures (MTBF)
quantifies how long a new or repaired system will run before failing.
The Mean Time to Repair (MTTR)
describes how long it will take to recover a specific failed system
Minimum Operating Requirements (MOR)
describe the minimum environmental and connectivity requirements in order to operate computer equipmen
Hot site
A hot site will have the capability to allow the organization to resume critical operations within a very short period of time—sometimes in less than an hour
Warm Site
1–3 days in order
A cold site
usually measured in weeks, not days
Continuity of Operations Plan (COOP)
describes the procedures required to maintain operations during a disaster. This includes transfer of personnel to an alternate disaster recovery site, and operations of that site.
Business Recovery Plan (BRP)
details the steps required to restore normal business operations after recovering from a disruptive event. This may include switching operations from an alternate site back to a (repaired) primary site.
The Occupant Emergency Plan (OEP)
provides the “response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property
The Crisis Management Plan (CMP)
designed to provide effective coordination among the managers of the organization in the event of an emergency or disruptive event.
RAID systems with hot-swapping disks are able to ……
replace drives while the system is running.
RAID parity is used to ….
rebuild lost or corrupted data
STRIPPING
This activity divides and writes the data over several drives. Both write and read performance are increased dramatically because more than one head is reading or writing data at the same time.
Hierarchical storage management (HSM) provides
continuous online backup functionality
A storage area network (SAN),
on the other hand, consists of numerous storage devices linked together by a high-speed private network and storage-specific switches.
Hierarchical storage management (HSM)….
provides continuous online backup functionality
clustering is a fault-tolerant server technology that provides..
Clustering provides for availability and scalability
……..provides for availability and scalability. It groups physically different systems and combines them logically, which helps to provide immunity to faults and improves performance.
Clustering
A differential process backs up
backs up the files that have been modified since the last full backup
incremental process backs up all the files
that have been modified since the last full backup
A continuity of operations (COOP) plan
establishes senior management and a headquarters after a disaster.
cyber-incident response
focuses on malware, hackers, intrusions, attacks, and other security issues. It outlines procedures for incident response with the goal of limiting damage, minimizing recovery time, and reducing costs. A cyber-incident response plan should include a description of the different types of incidents, who to call when an incident occurs, and each person’s responsibilities, procedures for addressing different types of incidents, and forensic procedures. The plan should be tested, and all participants should be trained on their responsibilities.
Occupant emergency plan
establishes personnel safety and evacuation procedures. The goal of an occupant emergency plan is to reduce the risk to personnel and minimize the disruption to work and operations in the case of an emergency
IT contingency plan
stablishes procedures for the recovery of systems, networks, and major applications after disruptions. Steps for creating IT contingency plans are addressed in the NIST 800-34 document.
Remote journaling
is a technology used to transmit data to an offsite facility, but this usually only includes moving the journal or transaction logs to the offsite facility, not the actual files
electronic vaulting
commonly takes place between databases and makes copies of files as they are modified and periodically transmits them to an offsite backup site
