Operations Flashcards
Administrative Personnel Controls examples
Administrative Personnel Controls • Compartmentalization • Separation of Duties • Collusion • Rotation of duties • Mandatory Leave • Non-disclosure agreement (NDA)- • Background checks
Least Privilege
• Least Privilege- (aka minimum necessary access) subject has no more access than is strictly required to perform duties
Need to Know
Need to Know- deals with sensitive data; leverage Mandatory Access Control; access is based on security clearance of subject and data classification of object.
Compartmentalization
Compartmentalization- a method for enforcing Need to Know
Rotation of duties
Rotation of duties- one person does not perform critical functions without interruption; helps mitigate fraud (cost is always a consideration and can trump some controls)
Compartmentalization
Compartmentalization- a method for enforcing Need to Know
3 types of controls
Administrative, Technical, Physical
Data remanence
Data remanence- data that persists beyond non-invasive means to delete it
Wiping
Wiping (aka overwriting)- writes new data over each bit or block; disk damage may prevent successful overwriting
Shredding
Shredding- physical destruction; most secure; incineration or pulverization
Configuration Management
Configuration Management
• Defined by ISC2 as “a process of identifying and documenting hardware components, software and the associated settings.”
Baselining
Baselining- capturing a point in time of the current system security config
o Necessitates monitoring config over time
Vulnerability scanning
Vulnerability scanning- discovers poor configs and missing patches
Vulnerability management
Vulnerability management- prioritization and remediation of vulnerabilities; prioritization based on risk to org and ease of remediation
Full Backup
Full Backup- replica of all data; coupled with incremental or differential
Incremental Backup
Incremental Backup- backup files changed since last incremental backup. Odds of failed restoration due to tape integrity increase with each incremental backup.
Differential Backup
Differential Backup- backup files changes since the last full backup (does not change the archive bit)
Copy Backup
Copy Backup- Same as full backup, but Archive Bit is not reset; Use before upgrades, or system maintenance
Mirroring
Mirroring- full data redundancy
Striping
Striping- increases read/write performance by spreading data across multiple disks
Parity
Parity- data redundancy without the same costs of mirroring. One or more disk drives contain parity information that allows them to rebuild data if a drive failure occurs.
RAID 0
RAID 0- Striped Set; increases performance, not data redundancy
RAID 1
RAID 1- Mirrored Set; duplicate data on added disk; write performance decreased; read performance increased
RAID 5
RAID 5- striped set with distributed parity (block level); one of the most popular; distributes parity across disks
RAID 1 + 0
RAID 1 + 0 (aka RAID 10)- striped set of mirrors
Clustering
Clustering is a fault tolerant server technology that is similar to redundant servers, except each server takes part in processing services that are requested.
Traffic Analysis
Traffic Analysis (aka Side Channel Analysis)- Watching traffic and its patterns to try and determine if something special is taking place
Traffic Padding
Traffic Padding- Generating spurious data in traffic to make traffic analysis more difficult
Protocol Analyzers
Protocol Analyzers (Sniffers)- run on switches in promiscuous mode using port span
Types of IDS
IDS (Intrusion Detection System)- Pattern Matching: • Rule-Based Intrusion Detection • Signature-Based Intrusion Detection—MOST COMMON • Knowledge-Based Intrusion Detection
Profile Comparison:
• Statistical-Based Intrusion Detection
• Anomaly-Based Intrusion Detection
• Behavior-Based Intrusion Detection
Signature-Based Intrusion Detection
Signature-Based Intrusion Detection
o IDS has a database of signatures which are patterns of previously identified attacks
o Cannot identify new attacks
o Database needs continual updates
Behavior-Based Intrusion Detection
Behavior-Based Intrusion Detection
o Compares audit files, logs, and network behavior, and develops and maintains profiles of normal behavior
o Better defense against new attacks
o Creates many false positives
NIST Computer Security Incident Handling Guide has 4 steps in incident lifecycle
NIST Computer Security Incident Handling Guide has 4 steps in incident lifecycle:
1. Preparation- training, defining policies & procedures, tools
2. Detection and Analysis (aka identification)- determine if events are an incident
3. Containment- keep further damage from occurring
o Eradication- understanding cause so that the sys can be cleaned; root cause analysis; timeline developed to know when latest backup/image is good
o Recovery- system restoration; monitor closely after returning to production
4. Post-incident activity (aka lessons learned, remediation, post mortem, reporting)- most likely to be neglected; feeds back to preparation.
Threat vectors (and examples)
Threat vectors- mediums that allow a threat agent to potentially exploit a vulnerability. e.g.:
o Network- attack against ports open through network and firewalls; most commonly defended against
o Web applications- attack against web app, associated server, and content
o Email attachment- malicious files that exploit client-side app vulnerabilities
o Phone lines- oldest and often overlooked
o Browser- hosts a malicious website or leverages a compromised trusted site
o Pivot attack- leverages and internal client (already compromised) to attack internal servers
o Insider threat- employee or contractor
Security Assessment
Security Assessment- a physical, administrative, and logical holistic approach to assessing effectiveness of security controls.
Penetration Testing
Penetration Testing- Ethical hacking to validate discovered weaknesses; Red Teams (Attack)/Blue Teams (Defend)
NIST SP 800-42
NIST SP 800-42 Guideline on Security Testing
Blind test
Blind test: The assessors have only publicly available knowledge. The network team knows that testing is taking place
Double Blind test
Double Blind test: The assessors have only publicly available knowledge, but in this instance the network teams do NOT know the test is taking place. This will allow evaluation of incident response.
Targeted test
Targeted test: External consultants work with internal staff to focus on specific systems or applications
Test Attack Phases
Test Attack Phases:
- Planning
- Reconnaissance- WhoIs Database, Company Website, Job Search Engines, Social Networking
- Footprinting- Mapping the network (Nmap); ICMP ping sweeps; DNS zone transfers
- Fingerprinting- Identifying host information; Port scanning
- Vulnerability assessment- Identifying weaknesses in system configurations; discovering unpatched software
- The “attack”- Penetration; Privilege escalation; Root kits; Cover tracks with Trojaned Programs and Log Scrubbers
- Reporting
Vulnerability Testing
Vulnerability Testing- Aka vulnerability scanning; Scans sys or network for list of predefined vulnerabilities