Operations and Maintenance

Question 1

Operations security

Answer 1

staying secure or keeping the resiliency levels of the software above the acceptable risk levels.

Question 2

The different types of operations security controls are

Answer 2

Detective; Preventive; Deterrent; Corrective; Compensating.

Question 3

Detective Controls

Answer 3

are those that can be used to build historical evidence of user and system/process actions. E.g. auditing (logging), intrusion detection systems (IDS).

Question 4

Preventive Controls

Answer 4

are those which make the success of the attacker difficult as its goal is to prevent the attack actively or proactively. E.g. Input validation, output encoding, bounds checking, patching, intrusion prevention systems (IPS).

Question 5

Deterrent Controls

Answer 5

are those, which don’t necessarily prevent an attack nor are they merely passive in nature. Their aim is to dissuade an attacker from continuing their attack. E.g. auditing when the users of the software are aware of being audited,

Question 6

Corrective Controls

Answer 6

are those which aim to provide the recoverability of software assurance. E.g. Load balancing, clustering, failover of data and systems.

Question 7

Compensating Controls

Answer 7

are those controls that must be implemented when the prescribed software controls as mandated by a security policy or requirement cannot be met due to legitimate technical or documented business constraints. E.g.

Question 8

Ongoing activities that are useful to ensure that the

software stays secure:

Answer 8

Monitoring; Incident Management; Problem Management; Change Management including Patch and Vulnerability Management; Backup, Recovery and Archiving.

Question 9

Monitoring can be used to:

Answer 9

Validate compliance to regulations and other governance requirements; Demonstrate due diligence and due care on the part of the organization towards its stakeholders; Provide evidence for audit defense; Assist in forensics investigations; Identify new threats; …

Question 10

What to monitor

Answer 10

Any operations that can have a negative impact on the brand and reputation of the organization, when it does not function as expected, must be monitored.

Question 11

The PCI DSS as one of its requirements mandates that

Answer 11

Any physical access to cardholder data or systems that house cardholder data must be appropriately restricted and the restrictions periodically verified.

Question 12

The primary ways in which monitoring is accomplished within organizations today is by

Answer 12

Scanning; Logging; Intrusion detection.

Question 13

Audits are monitoring mechanisms by

Answer 13

which an organization can attest the assurance aspects (reliability, resiliency and recoverability) of the network, systems and software that they have built or bought.

Question 14

They are effective to determine the implementation and effectiveness of security principles such as

Answer 14

Separation of duties and least privilege.

Question 15

Some of the reasons as to what periodic audits of software can be used for

Answer 15

Determine that the security policy of the software is met; Assure data confidentiality, integrity and availability protections; Make sure that authentication cannot be bypassed; Ensure that rights and privileges are working as expected; Check for the proper function of auditing (logging); Check for the proper function of auditing (logging); Find out if the unnecessary services, ports, protocols and services
are disabled or removed; …

Question 16

Incident management activities

Answer 16

The proper protocols to follow and the steps to take when a security breach (or incident) occurs.

Question 17

NIST Special Publication on Computer Security

Incident Handling Guide (SP 800-61)

Answer 17

guidance on how to manage computer security incidents effectively.

Question 18

NIST Special Publication SP 800-61

Answer 18

NITS SP 800-61 (Computer Security Incident Handling Guide) guidance on how to manage computer security incidents effectively.

Question 19

The first step in incident response is to determine

Answer 19

If the reported or suspected incident is truly an incident or not. If it is a valid incident, then the type of the incident is determined.

Question 20

Incident management shall define clear procedures to

Answer 20

to assess the current and potential business impact and risk must be established along with the implementation of effective and efficient mechanisms to collect, analyze and report incident data.

Question 21

Event

Answer 21

Any action that is directed at an object which attempts to change the state of the object.

Question 22

Red flags

Answer 22

It is generated when events match preset conditions or patterns upon further analysis. E.g. adverse events include flooded networks, rootkit installations, unauthorized data access, malicious code executions or business disruptions.

Question 23

Alerts

Answer 23

flagged events that need to be scrutinized further to determine if the event occurrence is an incident. Alerts can be categorized into incidents.

Question 24

Security incidents

Answer 24

Adverse events that violate or threaten to violate the security policy of the network, system or software
applications.

Question 25

Types of Incidents

Answer 25

Denial of Service (DoS); Malicious Code; Unauthorized Access; Inappropriate Usage; Multiple Component.

Question 26

Incident Response Process

Answer 26

Preparation, detection and analysis, containment, eradication and recovery, and post-incident analysis.

Question 27

Preparation phase activities

Answer 27

Establish incident response policies and procedures; Create and train an incident response team (IRT); Perform periodic risk assessments and reduce the identified risks to an acceptable level; Create a SLA that documents the appropriate actions and maximum response times; Identify additional personnel, both internal and external to the organization that may have to be called to address the incident; Acquire tools and resources that the IRT personnel can use; Conduct awareness and training on the security policies and
procedures and how they are related to actions that are prescribed in the Incident Response Plan (IRP).

Question 28

For Detection and Analysis, one of the first activities is to look at the logs or audit trails. The log analysis process is made up of the following steps:

Answer 28

Collection, Normalization, Correlation and Visualization.

Question 29

Collection defines the different types of logs that should collected for analysis such as

Answer 29

Network and Host Intrusion Detection Systems (NIDS and HIDS) logs; Network Access Control Lists (ACL) logs; Host logs such as OS system messages such logon success and failure information, system errors; Application (Software) logs that provide information about the activity and interactions between users/ processes and the applications; database logs.

Question 30

Principlan reasons for the correlation of log

Answer 30

The primary reason for the correlation of logs with threat or threat agent is to deduce patterns. Secondarily, it can be used to determine the incident type.

Question 31

How to determine the frequency of the log analysis

Answer 31

It is directly related to the value of the asset whose logs are being analyzed.

Question 32

Upon the detection and validation of a security incident, the first course of action that needs to be taken is.

Answer 32

Containment - to limit any further damage or additional risks. E.g. shutting down the system, disconnecting the affected systems from the network, disabling ports
and protocols, turning off services, taking the application offline.

Question 33

Containment strategy can range from

Answer 33

immediate shutdown to delayed containment.

Question 34

Delayed containment is useful to collect more evidence by monitoring the attacker’s activity, but this can be dangerous.

Answer 34

The attacker may have the opportunity to elevate privilege and compromise additional assets.

Question 35

Criteria to determine the right containment strategy includes:

Answer 35

Potential impact and theft of resources; The need to preserve evidence; Availability of service; Time and resources needed to execute the strategy; The completeness and effectiveness of the strategy; The duration and criticality of the solution; The possibility of the attack to cause additional damage.

Question 36

Eradication

Answer 36

The steps necessary to remove and eliminate components of the incident.

Question 37

Recovery mechanisms aim

Answer 37

To restore the resource (network, system or software application) back to its normal working state. E.g. restoring systems from legitimate backups, rebuilding services, restoration of compromised accounts and files with correct ones, patch installations, password changes and enhanced perimeter controls.

Question 38

Post-Incident Analysis

Answer 38

Lessons learned activities produce a set of objective and subjective data regarding each incident.

Question 39

As part of Post-Incident Analysis, “lesson-learned” activity can:

Answer 39

Provide the data necessary to identify and address the problem at its root; Help identify security weaknesses in the network, system or software; Help identify deficiencies in policies and procedures; Be used for evidentiary purposes; Be used as reference material in handling future incidents; Serve as training material; Help improve the security measures and the incident handling processes.

Question 40

NIST SP 800-61

Answer 40

Computer Security Incident Handling Guide special publication (SP 800-61) illustrates some of the outside parties that may have to be contacted and communicated when security incidents occur within the organization.

Question 41

IRT

Answer 41

Incident Response Team

Question 42

Not all incidents require a full-fledged post-incident analysis but at a bare minimum the 5Ws need to be determined and reported on:

Answer 42

What happened? When did it happen? Where did it happen? Who was involved? and Why did it happen?

Question 43

The goal of problem management

Answer 43

To determine and eliminate the root cause of the and in doing so it improves the service that IT provides to the business because the same issue so not be repeated again.

Question 44

Problem Management Process Flow

Answer 44

Incident Notification; Root Cause Analysis; Solution Determination; Request for Change; Implementation Solution; Monitor and Report.

Question 45

RCA is performed to determine

Answer 45

‘Why’ the problem occurred in the first place.

Question 46

Fishbone diagrams help the team to

Answer 46

To graphically identify and organize possible causes of a problem (effect) and using this technique, the team can identify the root cause of the problem.

Question 47

When brainstorming using fishbone diagrams, the RCA process can benefit if categories are used such as

Answer 47

People (awareness, training or education. etc.), Process (non-existent, ill-defined, etc.), Technology, Network, Host, Software (coding, 3rd party component, API, etc.), Environment (Production, Development, Test, etc.).

Question 48

Patches

Answer 48

Additional pieces of code that are used to update or fix existing software so that the software is not susceptible to any bugs are known.

Question 49

Patching

Answer 49

The process of applying these updates or fixes.

Question 50

Patches are often made available from vendors in one of two ways. The most common mechanisms are:

Answer 50

Hotfix or Quick Fix Engineering (QFE); Service Pack

Question 51

QFE

Answer 51

Quick Fix Engineering

Question 52

Service Pack

Answer 52

An update to the software that fixes known problems and in some cases provides additional enhancements and functionality as well.

Question 53

There are some challenges that come with patching

Answer 53

The applied patch could potentially cause a disruption of existing business processes and operations; Lack of a simulated environment combined with lack of time, budget and resources.

Question 54

Patches that are not tested for their security impact can potentially

Answer 54

Revert configuration settings from a secure into an insecure state (e.g. enable, disabled ports/services);

Question 55

Some of the necessary steps that need to be taken as part of the patching process include

Answer 55

Notifying the users of the software or systems about the patch; Testing the patch in a simulated environment; Documenting the change along with the rollback plan; Identifying maintenance windows or the time when the patch is to be installed must be performed; Installing the patch; Testing the patch post-installation in the production environment is also necessary; Validating that the patch did not regress the state of security and that it leaves the systems and software in compliance with the MSB; Monitoring the patched systems; Conducting post-mortem analysis in case the patch had to be rolled back and using the lessons learned to prevent future issues.

Question 56

Special publication 800-40 published by NIST

Answer 56

Guide to Enterprise Patch Management Technologies - prescribe the Patch management that is the process for identifying, acquiring, installing, and verifying patches for products and systems.

Question 57

Operational activities that assure uninterrupted business operations and continuity

Answer 57

Backups, recovery and archiving.

Question 58

When a system has been infected by malware such as Trojan horses and spyware, the only option left for assuring continued integrity is probably

Answer 58

To completely format and reinstall the software accompanied with restoring the data from a secure, trusted and verified backup.

Question 59

Retrieve and restore backups task

Answer 59

Only those with need-toknow privileges should be authorized.

Question 60

Bastion host is

Answer 60

A fortified computer system that is completely exposed to external attack and illegal entry. E.g. firewall, DNS, Web server, mail servers.

Question 61

Concern about the bastion host

Answer 61

Bastion hosts must be carefully designed as insecure design of these can lead to easy penetration by external threat agents into the internal network.

Question 62

Bastion host - security controls

Answer 62

it must be be hardened and any unnecessary services, protocols, ports, programs and services need to be disabled before it is deployed.

Question 63

Bastion host systems can be used to continuously monitor the security of the computing environment when it is used in conjunction with intrusion detection systems (IDS) and which other security control?

Answer 63

Auditing

Question 64

What is the best recommendation to champion security objectives within the software development organization?

Answer 64

Informing the development team that there should be no injection flaws in the payroll application, using security metrics over Fear, Uncertainty and Doubt (FUD).

Question 65

Normalization is

Answer 65

The process of using regular expressions to parse audit logs into information that indicate security incidents, duplicate and redundant information are removed.