Operations Security - Domain 7

Question 1

Q

Answer 1

A

Question 2

Operations Security - 3 Daily Tasks

Answer 2

1. Operational Assurance 2. Daily Procedures 3. Vulnerability assessment and pen test

Question 3

Operations Security - Daily Procedures (6)

Answer 3

1. Configuration Managment 2. Change Management 3. Asset Management 4 License Management 5 Capacity Planning 6 Fault Management

Question 4

Operations Security - Operations Responsibilities (7)

Answer 4

1. Maintaining production systems 2 Integrating new software and systems into production env. 3 Installing new versions of programs 4 Running bath jobs, creating reports, patching systems 5 Managing backups 6 Managing audit logs 7 dealing with network and system failures, upgrades, and configurations

Question 5

Operations Security - Operational Duties (2)

Answer 5

1. Unusaul or unexplained occurrences 2. Deviations from standards

Question 6

Operations Security - Deviations from Standards (4)

Answer 6

1. Performance decreases, bandwidth usage increases, excessive memory use 2 Unscheduled initial program loads 3 mainframe term for loading kernel 4 computer rebooting for no obvious reason

Question 7

Operations Security - Personnel (Operators - mainframes)

Answer 7

1. Monitor execution of system 2 control flow of jobs 3 mounting i/o volumes 4 initial program load 5 renaming/relabeling resources 6 reassigning ports/lines

Question 8

Operations Security - Personnel (Network administrator)

Answer 8

1. Maintenance and control of network operations 2. All device and system administration tasks

Question 9

Operations Security - Personnel (Security administrator)

Answer 9

1. Implementing dictated user clearances 2. setting initial passwords and security profiles for users 3. configuring sensitivity levels 4 Implementing device security mechanisms and secure communication channels 5 reviewing audit logs

Question 10

Operations Security - Audit Data

Answer 10

1. Audit logs are an automated feature of certain operating systems and programs that create a record of specific transactions or activities 2. computer fraud can increase if audit logs are not being kept and reviewed 3. trend analysis tools are used to identify anomalies in audit logs 4 exception reports area result of system monitoring activity that is a deviation from standards or policies

Question 11

Operations Security - Library types

Answer 11

1. Production - holds software in production 2 programmer - holds work in progress 3 source code - holds source and should be escrowed 4 media - hardware centrally controlled

Question 12

Controlling access to media - Librarian

Answer 12

1. librarian to control access 2 logs who takes what material out and when 3 materials should be properly labeled 4 media must be properly sanitized

Question 13

Purpose of trusted recovery

Answer 13

1. No comprimise of protection mechanisms or possibility of bypassing them (BSOD) 2. preparing system for failure and recovering the system 3 failure of system cannot be used to breach security

Question 14

Fax machine security issues (2)

Answer 14

1 Can be used to xfer sensitive data 2 paper in bin for all to see

Question 15

Fax security solution (5)

Answer 15

1 fax server can route faxes directly to email box instead of printing 2 can disable print feature 3 fax encryptor encrypts bulk data at data link layer 4 provides extensive logging and auditing 5 can use public key crypt for secure xfer of material

Question 16

Network availability (3)

Answer 16

1 One of three primary security principles 2 attacks, component or device failure can affect a networks availability 3 single point of failure must be avoided

Question 17

Hot Spares

Answer 17

1 SLA 2 MTBF 3 MTTR

Question 18

RAID

Answer 18

1. Provide fault tolerance 2 Data is separated into multiple units on multiple disks using the process striping and parity 3 HW or SW implementation 4 provides high availability

Question 19

RAID types (4)

Answer 19

1 RAID 0 striped 2 RAID 1 Mirrored 3 RAID 5 striped w/ parity 4 RAID 10 Striped w/ mirrored

Question 20

Backups

Answer 20

1 Backing up software and having backup hardware is a large part of network availability 2 It is important to be able to restore data

Question 21

Backups - Types

Answer 21

1. Full - archive bit set 2 Incremental - backup modified files and reset archive bit 3 Diff - all files since last backup - archive bit is not reset 4 Copy - same as full but archive is not reset

Question 22

Intrusion Detection Systems (4) IDS

Answer 22

1. Software is used to monitor a network segment or computer 2. used to detect attacks and other malicious activity 3 dynamic 4 two types - network and host

Question 23

IDS - Network (3)

Answer 23

1. Monitors traffic on a segment 2 computer or network appliance with nic in promiscuous mode 3 sensors communicate with a central management console

Question 24

IDS - Host (2)

Answer 24

1 Small segment programs that reside on individual computer 2 detects suspicious activity on one system, not a network segment

Question 25

IDS components (3)

Answer 25

1. Sensors 2. Analysis engine 3. management console

Question 26

IDS - Signature based (3)

Answer 26

1. IDS has a dbase of signatures which are patterns of previously defined attacks 2 cannot identify new attacks 3 base needs continual updates

Question 27

IDS - Behaviour based (3)

Answer 27

1. compares audit files, logs, and network behavior and develops and maintains profiles of normal behavior 2 Better defense against new attacks 3 Creates many false positives

Question 28

IDS - Analysis Engine Methods (Pattern)

Answer 28

1. rule based ID 2 Signature based ID 3 knowledge based ID

Question 29

IDS - Analysis Engine Methods (Profile)

Answer 29

1.Statistical ID 2 Anomaly ID 3 Behavior ID

Question 30

IDS Response Options (5)

Answer 30

1. page or email admin 2 log event 3 send reset packets to the attacker connections 4 change a firewall or router ACL to block an IP address or range 5 Reconfigure router or firewall to block protocol being used for attack

Question 31

IDS Issues (5)

Answer 31

1. May not be able to process all packets on a large network 2 cannot analyze encrypted data 3 switch-packet networks make it harder to pick up packets 4 a lot of false alarms 5 not an answer to all prayers

Question 32

Honey Pot - Deployment (4)

Answer 32

1 Pseudo flaw: Loophole purposely added to operating sys or application to trap intruders 2 Sacrificial lamb system on network 3 Administrators hope that intruders will attack this system instead of their production systems 4 It is enticing because many ports are open and services are running

Question 33

Depth in Defense

Answer 33

Multilayered with multiple dimensions

Question 34

Security Testing - Vulnerability Assessment (3)

Answer 34

1. Physical/Operations/Electronic 2 Identify weakness 3 Correct them

Question 35

Security Testing - Penetration testing (3)

Answer 35

1. Ethical hacking to validate discovered weakness 2 Red teams 3 Black box tests

Question 36

Security Testing - NIST

Answer 36

SP 800-42 Guidline on security testing

Question 37

Blue Teaming

Answer 37

Least expensive and most frequently used testing

Question 38

Red Teaming

Answer 38

Provides a better indication of everyday security

Question 39

Testing Guidelines - Reasons for testing

Answer 39

1. Risk analysis 2. Certification 3 Accreditation 4 Security Architectures 5 Policy Development

Question 40

Testing Guidelines (4)

Answer 40

1. Reasons for evaluating an organizations systems 2 Develop a cohesive well-planned and operational security testing program 3 Responsible approach to overall security

Question 41

Why do tests work?

Answer 41

1. Lack of awareness 2 Policies not enforced 3 Procedures not followed 4 Disjointed operations between departments 5 Systems not patched

Question 42

Penetration Testing Goals (5)

Answer 42

1 Check for unauthorized hosts connected to the organizations network 2 Identify vulnerable services 3 Identify deviations from the allowed services defined in the organizations security policy 4 Assist in the configuration of the IDS 5 Collect forensic evidence

Question 43

Penetration Testing Issues (4)

Answer 43

1. Three basic requirements : a. defined goal which should be clearly documented b limited timeline outlined c approved by senior management only management should approve this type of activity 2 Issue: it could disrupt productivity and systems 3 Overal purpose is to determine subjects ability to withstand an attack and determine effectiveness of current security measures 4 tester should determine effectiveness of safeguards and identify areas of improvement

Question 44

Penetration Testing Roles and Responsibilities (4)

Answer 44

1. Approval for the tests may need to come from as high as the CIO 2. Customary for the testing organization to alert other security officers management and users 3 Avoid confusion and unnecessary expense 4 In some cases it may be wise to alert local law enforcement

Question 45

Penetration Rules of Engagement (6)

Answer 45

1. Specific IP addresses/ranges to be tested 2 A list of acceptable testing techniques 3. Times when testing is to be conducted 4 Points of contact for the penetration testing team, the targeted systems, and the networks 5 Measures to prevent law enforcement being called for false alarms 6 Handling of information collected by pen test team

Question 46

Types of Penetration Testing - Physical (3)

Answer 46

1. Access into building or department 2. Wiring closets liked file cabinets offices server rooms sensitive areas 3 Remove materials from building

Question 47

Types of Penetration Testing - Operational

Answer 47

Help Desk giving out sensitive information, data on disposed disks

Question 48

Types of Penetration Testing - Electronic

Answer 48

Attack on systems, networks, communications

Question 49

Attack Methodology - Target Acquisition

Answer 49

Intelligence gathering, limit information, distractions (honeypots)

Question 50

Attack Methodology - Target Analysis

Answer 50

Look for weakness, remove vulnerable services, hide identifying information regarding vulnerable services

Question 51

Attack Methodology - Target Access

Answer 51

Strong Access Controls (AAA) and identity management

Question 52

Attack Methodology - Target Appropriation

Answer 52

Privilege escalation and rootkit (back door) escalation

Question 53

Test Attack Phases - Reconnaissance

Answer 53

Learning about the target from public sources of information

Question 54

Test Attack Phases - Footprinting (3)

Answer 54

1. Mapping the network 2 ICMP ping sweeps 3 DNS Zone transfers

Question 55

Test Attack Phases - Fingerprinting (2)

Answer 55

1. Identifying the host information 2 Port scanning

Question 56

Test Attack Phases - Vulnerability Assessment (2)

Answer 56

1. Identifying weaknesses in system configuration 2 Discovering unpatched software

Question 57

Test Attack Phases - The Attack! (4)

Answer 57

1. Penetration 2 Privilege escalation 3 Root Kits 4 Cover tracks

Question 58

Attacks - Ping of Death (3)

Answer 58

1 Sending a series of oversized ICMP packets 2 receiver does not expect this size packet or know what to do with it 3 DoS attack

Question 59

Attacks - Spoofing (3)

Answer 59

1. Use a bogus IP address 2 Using captured credentials 3 Countermeasures: encryption, OTP, ingress and egress filtering, report last time user accessed system

Question 60

Attacks - Spamming (2)

Answer 60

1. Distributing un-requested mail 2 Countermeasures: e-mail filters, disable mail relay on mail servers

Question 61

Attacks - Teardrop

Answer 61

Sending malformed fragmented packets that freeze certain systems when they try to assemble the fragments

Question 62

Attacks - Land

Answer 62

1. Destination and source address and port numbers are the same 2. Most operating system and routers have been vulnerable

Question 63

Patch Management

Answer 63

Faster more systematic testing and optimized patch rollout reduces the window of vulnerability on installed systems

Question 64

Padded Cell and vulnerability tools (4)

Answer 64

1. Concept used in software programming where a safe environment is created for applications and processes to run in 2 Concept used in IDS where identified intruder is moved to a “safe” environment without their knowing 3 Simulated environment to keep the intruder happy and busy 4 aka: self mutating honey pot , Tarpit

Question 65

Watching Network Traffic - Traffic Analysis

Answer 65

Watching traffic and its patterns to try and determine if something special is taking place

Question 66

Watching Network Traffic - Traffic Padding (3)

Answer 66

1. Generationg spurious data in traffic to make traffic analysis more difficult 2. the amount and nature of traffic maybe masked 3 attempt to keep traffic constant so no information can be gained

Question 67

Attack Phases (4)

Answer 67

1. Gaining access 2 Escalation of privilege 3 System browsing 4 Install additional software

Question 68

Privilege Escalation - SetUID

Answer 68

1. Unix program that has root privileges but can be run by users 2 When a user changes their password, the command changes files that only root has access to 3. Some SetUID programs have bugs to allow elevated privilege through buffer overflows or race conditions

Question 69

Privilege Escalation - SU

Answer 69

1 Switch User command 2 changes user credentials to rott or specified user temporarily

Question 70

Network Scanning (3)

Answer 70

1. List all active hosts 2 Network services 3 Port scanner (NMAP, Finger, Banner Grabbing)

Question 71

Vulnerability Scanning - Identifying (6)

Answer 71

1. Identifying active hosts on network 2. Identifying active and vulnerable services 3 Identifying Applications 4 Identifying OS 5 Identifying vulnerabilities associated with identified apps and OS 6 Identifying misconfigured settings

Question 72

Vulnerability Scanning - Testing

Answer 72

Compliance with host application usage/security policies

Question 73

Vulnerability Scanning - Establish

Answer 73

Foundation for penetration testing

Question 74

Password Cracking (3)

Answer 74

1. Goal is to identify weak passwords 2 Passwords are generally stored and transmitted in an encrypted form called hash 3 Password cracking requires captured password hashes

Question 75

Password Cracking Techniques (5)

Answer 75

1. Dictionary 2 Brute Force 3 Hybrid 4 LanMan password hashes 5 Rainbow tables

Question 76

War Dialing (4)

Answer 76

1. Goal is to discover unauthorized modems 2 Dial large blocks of numbers in search of modems 3 include all numbers for an organization but those that ould be impacted negatively 4 If removal is not possible, block inbound calls to the modem

Question 77

Wireless LAN testing - 802.11 (2)

Answer 77

1 Serious flaws in its current implementation of WEP 2 Default configuration

Question 78

Wireless LAN testing - Web

Answer 78

Web sites publish the locations of discovered wireless networks

Question 79

Wireless LAN testing - Wireless Attacks (4)

Answer 79

1 Insertion attacks 2 Interception and monitoring of wireless traffic 3 DoS 4 Client to Client attacks

Question 80

Reporting - Planning (3)

Answer 80

1. Rules of engagement 2 Test plans 3 Written permission

Question 81

Reporting - Discovery and attack (2)

Answer 81

1. documentation of logs 2. Periodic reports

Question 82

Reporting - End of test Report (2)

Answer 82

1. Describe the identified vulnerabilities and risk rating 2 Guidance on the mitigation of these weaknesses

Question 83

Corrective Actions (9)

Answer 83

1. Investigate and disconnect unauthorized hosts 2 Disable or remove unnecessary and vulnerable services 3 Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts 4 Modify enterprise firewalls to restrict outside access to known vulnerable services 5 Upgrade or patch vulnerable systems 6 deploy mitigating countermeasures 7 improve configuration management program and procedures 8 assign a staff member to: a. monitor vulnerability alerts b examine applicability to environment c intimate appropriate system changes 9 modify the organizations security policies and architecture

Question 84

Log Reviews (6)

Answer 84

1. Firewall Logs 2. IDS Logs 3 Server Logs 4 Other logs that collect audit data 5 Snort is a free IDS sensor 6 Log reviews should be conducted very frequently on major servers and firewalls

Question 85

Deploy file integrity checkers (6)

Answer 85

1 Computes and stores a checksum 2 Should be recomputed regularly 3 Usually included with any host-based intrusion detection system 4 Requires a system that is known to be secure to create the initial reference database 5 False positive alarms 6 LAN guard is a freeware file integrity checker

Question 86

Change Control (3)

Answer 86

1 Operations staff should be involved with decisions pertaining to changes of the environment to control any modifications 2 Involvement of Operations ensures that changes to a system are not done unintentionally 3 Change should be submitted, approved, tested, and documented before being implemented

Question 87

Purpose of Configuration Management (3)

Answer 87

1. Identfying, controlling, accounting for and auditing changes made to the baseline TCB 2 A system that will control changes and test documentation through the operational lifecycle of a system 3 Major objective is system stability

Question 88

Redundant Servers

Answer 88

Primary server mirrors data to secondary server: hot-a online spare that is available for immediate failover with no interruption in client hosting b. Warm -a hot spare that would be available for immediate failover although clients would loose their connections and require re-establishment c. cold-a configured standby spare that could be used if the primary is unavailable. This results in lost connections.

Question 89

Redundant Networks - Dual Backbone (3)

Answer 89

1one of the best examples of increasing network availability is the over design of backbone networks 2 a completely redundant backbone network design is commonly referred to as the dual backbone network 3 building and campus networks utilize a dual backbone design to ensure paths between endpoints, data centers, plus wide area and internet connections always stay open

Question 90

Clustering (4)

Answer 90

1. Group of servers that are managed as a single system 2 higher availability, greater scalability, easier to manage instead of individual systems 3 All servers take part in processing 4 cluster looks like a single server to the user

Question 91

SAN - Bring networking to storage (6)

Answer 91

1 Best in class system elements 2 Server and storage consolidation 3 Redundancy 4 Load balancing 5 Business continuance 6 centralized management