Part 6 Flashcards
What is the service that allows hardware and software access and information transfer between different security domains or levels of classification either manually or automatically?
Cross Domain Services / Multi-Layer System
CDS/MLS
What eliminates the need for multiple workstations to access different enclaves?
Secure Office Trusted Thin Client (SOTTC)
What is used to restrict the data flow from applications and users to the management resources in each enclave?
Virtual Routing and Forwarding (VRF)
On CANES, encryption methods for laptops with SECNET 54 devices attached utilizing SECRET wireless need what compartment?
HAIPE-compliant devices
How many wireless access points do platforms hosting CANES with CISCO Aironet 1242 AG have?
30
What are the 4 accounts of HBSS?
Sqlsrvusr: used for local log on for the SQL service
Sqlsrvagt: used for local log on for the SQL Server Agent service
Eposql: this account is built into SQL Server Management, and is the account that ePO uses to “talk” to the MSSQL database
Proxy.epo: this AD account is used for Master Repository replication and other off-ship communications
Which account does ePO use to talk to SQL?
Eposql
Which account does HBSS use for off ship communication?
Proxy.epo
In the CANES implementation, rogue sensors must be installed on which following servers?
BU01, BU02, MTS, VC01, WEB
Which server should NOT have a rogue sensor as it is a DHCP server and has conflicts with the Threat Management Gateway (TMG)?
IAEXET
What is the name of the agent that handles audit records?
NetIQ
Which appliance controls access to the CANES network?
Identity Service Engine (ISE)
What applies local security at the end of its software installation and provides an automated way to apply the local security portion by itself?
Security Configuration Module (SCM)
What term signifies that the system is secured to the highest degree possible, while still allowing for the operational environment in which the systems must function?
Hardening
Where is Symantec Endpoint Security Manager installed?
Ex01
Symantic Mail Security for Microsoft Exchange (SMSME) scans email messages that pass through the exchange server and protects the exchange server from what?
Threats (virus, worms, Trojan horses, DOS
Security risks (adware, spyware)
Unwanted content
Unsolicited email (spam)
What kind of server is the Threat Management Gateway (TMG)?
Member server not a domain server
What can you set to limit internal users access to the internet?
River City
What is a predefined access rule that protects networks by blocking all traffic that is not explicitly allowed by other, user defined l, access rules and is always processed last?
Default Deny Rule
What products is installed and configured manually and if the product has a broad scope or is a client application, then Microsoft SCCM is used to deploy the product and the configuration is automated?
Operating Environment applications
CANES architecture has how many SADRs?
2
What has state-of-the-art antivirus software, was built to secure virtual infrastructure, anti-spyware, firewall and intrusion prevention?
Symantic Endpoint Manager (SEM)
If you have an inspection and some portion of a POR system failed or needs correction what do you do?
Contact the POR for changes to the configuration
What is a trading security concern for routers and switches?
An attacker could console in and reconfigure the router or switch or control the routing and switching.
What are concerns in traditional security?
Access control Storage media Password storage Physical security Emergency procedures Personal electronic devices Wireless devices Classified material handling
Which CE verifies CND?
CE-06
Which CE demonstrates cyber ops casualty and incident response procedures?
CE-11
How many stages are there in a CCRI?
3
What are the stages of a CCRI?
Admin review
TAV
Inspection CSI
What is a stage 2 ccri looking at?
5 IA facets as well as the stage 1 findings
How long is the stage 3?
5 days
What does the McAfee Whitelisting of Rogues check portion of the inspection look at?
List of exceptions
What are the two HIP categories?
HIP firewall policy is enabled
Firewall Connection Aware Group / Location Aware Group (FCAG/LAG) prevents cross Domain violations
What systems need a waiver?
Systems that are not or cannot be configured to have HBSS installed.
What were two significant attacks to DOD networks?
Operation Rolling Tide, Task Force Cyber Awakening
What are actions that are conducted to address System or network security incidents, restore systems to their operation states, and correct any technical or administrative flaws to prevent future attacks?
Computer Incident Response
What is the terminology for when operations or actions that disrupt, deny, degrade or destroy information within a computer network, or the system or network itself?
Computer network attack
What is an unauthorized access to an information system?
Intrusion
What occurs when information from a higher classification/restriction is placed on machines or networks of lower classification/restriction either intentionally or inadvertently?
Electronic spillage
What Delivery Vector category is when a user with authorized access took specific actions that resulted in jeopardizing ISs or data?
Category 2 - Authorized user
What Delivery Vector category is when a compromise resulted from the inadequate or improper configuration of an IS?
Category 4 - configuration management
What category of Delivery Vector is when a compromise resulting from the implicit or explicit trust relationship between security domains?
Category 6 - ACAS Transitive Trust
What event incident category is unauthorized privileged access (administrative or root access to a DOD system?
Category 1 - Root level intrusion (incident)
What event incident category is when unauthorized non privilage access (user level permissions) to a DOD system. Automated tools, targeted exploits, or self-propagating malicious logic may also attain these privileges?
Category 2 - User Level Intrusion (Incident)
What event incident category is when there has been an attempt to gain unauthorized access to the system, which is defeated by normal defensive mechanisms. Attempt fails to gain access to the system(e.g. attack attempted valid or potentially valid username and password combinations) and the activity cannot be characterized as exploratory scanning. Can include reporting of quarantined malicious code.
Category 3 - unsuccessful activity attempted (event)
What event incident category is an activity that impairs, impedes, or halts normal functionality of a system or network?
Category 4 - Denial of Service (Incident)
What event incident category is used for activity that due to DOD actions (either configuration or usage) makes DOD systems potentially vulnerable (e.g., missing security patches, connections across security domains, installation of vulnerable applications, etc.) In all cases, this category is not used if an actual compromise has occurred. Information that fits this category is the result of non-compliant or improper configuration changes or handling by unauthorized users.
Category 5 - Non-Compliance Activity (Event)
What event incident category is for events that are initially suspected as being malicious but after investigation are determined not to fit the criteria for any of the other categories (e.g., system malfunction or false positives)?
Category 9 - explained anomaly (Event)
How do you determine if there has been an incident or event?
Signs of an occurrence are identified by comparing abnormal activity to established baselines and thresholds of known good system performance and operation.
What port is FTP?
21
What port is SSH?
22
What port is Telnet?
23
What port is DNS?
53
What port is RPC?
135
What are the procedures to identify, isolate, mitigate, resolve, recover, and repair systems in response to a cyber event?
Incident response
What phase of incident response involves the establishment and training an incident response team, as well as acquiring acquiring necessary tools/resources to perform the response?
Preparation
What incident response phase assists the management of an incident and prevention of further attacks?
Detection and analysis
What phase of incident response assists the management of the incident and prevention of future attacks?
Containment
What incident categories must be sanitized and rebuilt from trusted media?
1, 2, 7
Which incidents potentially necessitate a gateway block?
1, 2, 3, 4, 6, 7
What two block lists are provided by NCDOC?
Ip block list
DNS Black hole
What are are three tiers of CND?
Global
Regional (NCDOC which is the CSSP)
Local
Who is the principal advisor to the CO?
CSM
Who shall ensure that the ES is contained and cleaned from affected systems in accordance with guidance provided by the CO, CSM, and the OCA?
ISSM
What form do you fill out for spillage?
Electronic Spillage Action Form
Who tracks ESAF?
Navy Net War Com
Submit to the ESC
What two programs does NCDOC use for collection and preservation of volatile data?
Dumpit
Helix Pro
What is important to remember concerning volatile data?
Do not turn it off
What system state command is used for user accounts?
Net user
What system state command is for ARP table
ARP -a
What system state command is used for network interfaces?
Ipconfig /all
What system state command is used for network connections?
Netstat -abn
What system state command shows running tasks?
Task list
Where can you find files belonging or related to applications such as executables, configuration files, log scripts, scripts, graphics and icons?
Application files
Where can you find files used to extend the amount of memory available by allowing programs to swap pages of data in and out of RAM?
Swap files
Where can you find files created to preserve the state of a system such as the memory contents and open files that are used to restore a system when it has been turned back on?
Hibernation files
Where can you find files that have been deleted
Deleted files
What should you do when you have collected data?
Make a copy
Master copy
Working copy
What two tools of HBSS have the ability to monitor files?
ABM & FIM
What is the process of identifying, analyzing, and characterizing information gathered from affected systems?
Malware analysis
Where should you perform malware analysis?
Isolated environment
What are two places you can perform malware analysis?
Isolated dedicated computer or a virtual machine
What are abnormal combinations of seemingly uninteresting events that could be one of the first precursors to an attack?
Unrecognized connection to the web server
Unrecognized configuration change
Unrecognized user creation or privilage elevation
When will you determine the training needs to prevent future attacks?
Post incident analysis
What is the process of collecting messages from different systems and finding all messages that belong to one single event?
Correlation analysis
What is the most important feature for correlation analysis?
Time stamps
Clock settings
What are two sources for information on attacks?
CVE, USCYBERCOM
Who provides logs to NCDOC?
Shipboard personnel
