Operations Security Flashcards
zero day exploit
existence of exploit code for a vulnerability that has yet to be patched
differential backup
backs up files changed since last full back up; quicker than full, but gets longer over time to backup
RAID levels
0 - Striped set 1 - mirrored set 3 - byte-level striping with dedicated parity 4 - block-level striping with dedicated parity 5 - block-level striping with distributed parity 6 - block-level striping with double distributed parity
RAID 2
hamming code: not commercially viable for hard disks; cost prohibitive
mirroring
complete duplication of data to another disk, used by some levels of RAID; used to achieve full data reduncy by writing to multiple hard disks
active-passive
backup systems only begin processing when a failure state is detected
full backup
contain all of the allocated data on the hard disk; quick recover; long backup
sniffing
potentially able to insert a malicious system in the middle of a connection
recovery
cautiously restoring the system or systems to operational status
macro virus
malicious code that infects microsoft office documents
lessons learned
most likely step to be neglected
SYN flood
DOS; resource exhaustion; lots of SYN, but never acknowledge SYN/ACK
teardrop
DOS; malformed packet; targest issues with systems fragmentation reassembly
RAID 5
striped set w/ distributed parity: performance gains; data redundancy; can lose 1 disk and still function
ping of death
DOS; malformed packet; sends malformed ICMP echo request (ping) that is larger than maximum size of an IP packet
remanence
data that might persist after removal attempts
spoofing
masquerading as another endpoint
RAID 6
striped set w/ dual distributed parity: can accommodate loss of 2 drives and still function
preparation
steps taken before incident occurs; includes training, writing incident response policies/procedures, providing tools
incremental backup
only archive files that have changed since last backup of any kind performed; quick backup; long recovery
need to know
clearance level alone is insufficient when dealing with most sensitive information
account lockouts
used to prevent an atttacker from being able to simply guess the right password by attempting a large number of potential passwords
NDA
non-disclosure agreement: work-related contractual agreement that ensures people will maintain confidentiality of data
DNS reflection
DOS; attacker has poorly configured 3rd paty DSN server query an attacker-controlled DNS server
striping
spreading data writes across multiple disks to achieve performance gains; used by some levels of RAID; performance increase and no data redundancy
trojan horse
defined by how they are concealed and are most often associated with providing an attacker with persistentbackdoor access
operations security is concerned with?
threats to a production operating environment
degaussing
destroys integrity of the manetization of the media making data recovery impossible
change management process
- ID change 2. propose change 3. assess risk associated w/ change 4. test change 5. schedule change 6. notify impacted parties of change 7. implement change 8. report results of change
Collusion
agreement between 2 or more people to subvert the security of a system
threat vectors
e-mail attachments, open ports, web appps, phone lines to target internal servers,
password cracking
an offline technique in which athe attacker has gained access to the password hashes or database
eradication
process of understanding the cause of the incident so system can be reliably cleaned and ultimatelly restored to operational status
fraggle
DOS; malformed packet; like smurf, but uses UDP
password guessing
online technique that involves attempting to authenticate a particular user to a system
background checks
administrative control
mandatory leave
closely related to rotation of duties; reduces or detects personnel single points of failure; detects/deters fraud; reveals fraudulent or suspicious behavior
containment
atempts to keep further damage from occuring
malware
one of the best known types of threats to an info system
RAID 4
striped set with dedicated parity (block level): same as RAID 3 but at block level
separation of duties
prescribes that multiple people are required to complete criticqal or sensitive transactions
Smurf
DOS; resource exhaustion; ICMP echo request flood (ping flood)
vulnerability management
emphasizes the need for management of the vulnerability information
vulnerability scanning
way to discover poor configurations and missing patches in an environment
parity
to achieve data redundancy without incurrring the same degree of cost as that of mirroring in terms of disk usage and write performance
zero day vulnerability
vulnerabilty being known before the existence of a patch
DoS
denial of service: one to one availability attack; distributed DOS is many to one availability attack
rootkit
malware that is focused on hiding its own existence from a savvy admin trying to detect malware
Land
DOS; malformed packet; spoofed SYN packet
detection and anaylsis
events are analyzed in order to determine whether these events might comprise a security incident
worm
self propagates
compartmentalization
method for enforcing need to know
RAID 0
striped set: improves performance of read/writes; no data redundancy
rollback plan/backout plan
details procedures for reversing the change should that be deemed necessary
baselining
process of capturing a piont-in-time understanding of the current system security configuration
threat agents
the actors causing the threats that might exploit a vulnerability
MITM
Man in the middle: places attacker between victim and another system; goal is to serve as undiscovered proxy for either or both endpoints
RAID 1
mirrored set: has an exact duplicate of all data on other disks
principle of least privilege
persons have no more than the access that is strictly required for the performance of their duties; aka principle of minimum necessary access
virus
indicates malicious code that hooks onto executable code and requires user interaction to spread
active-active
each node in a high-availabiltiy cluster is actively processind data in advance of a failure
clipping levels
differentiate between lmalicious attacks and normal users accidentally mistyping their passwords and malicious
RAID 3
striped set w/ dedicated parity: performance gains
change management
maintains consistent and known operational security; purpose is to undersatnd, communicate, and document any changes with the primary goal of being able to understand, contol and avoid negative impact changes might impose
rotation of duties
aka job rotation or rotation of responsibilities; requires that one person doesn’t perform critical functions or responsibilites w/o interruption; mitigates fraud
incident lifecycle
- preparation 2. detection and analysis (identification) 3. containment 4. eradication 5. recovery 6. lessons learned
fundemental aspect of operations sec?
ensuring controls are in place to inhibit people from either inadvertently or intentionally compromising the CIA of data or systems
