Real Exam 2 Written Flashcards
Describe the functionality of an IDS.
IDS is responsible for detecting unauthorized access or attacks against systems and networks. Can verify, itemize, and characterize threats from outside and inside the network.
Describe the three modes of detection for an IDS
Signature based - analyzes traffic for patterns associated with known attacks stored in database
Anomaly based - Analyzes traffic and compares it to normal or baseline traffic for deviations that might indicate attack
Rule/Heuristic based - Analyzes traffic by using pre-configured rules and an interface engine to determine when characteristics of an attack exists.
What is the Security Onion
Open-source linux application suite of tools that provides IDS and IPS functionality, security monitoring, and log analysis
What are the hardware requirements for the Security Onion
64-bit CPU, 4 cores, 8GB Ram 40-60GB Hard drive capacity
What is the purpose of a NSM (Describe the functionality of the 4 major utilities types found in SO)
Network security monitoring
Collects and displays suspicious
network activity
Analyzes alerts of suspicious activity
Collects packets for analysis
Allows for overview of network activity
4 Major Utilities types in Security Onion
IDS/IPS
SNORT
IDS session analysis
OSSEC
Session analysis
BRO
Visibility to logs
SGUIL
ELSADescribe sources of Event Logs
Network devices/ appliances
End devices
IoT devices
What are the Cisco alert logging categories
0 emergency: System unstable 1 alert: Immediate action needed 2 critical: Critical conditions 3 error: Error conditions 4 warning: Warning conditions 5 notice: Normal, but significant condition 6 informational: Informational messages only 7 debug: Debugging messages
What can be used to centralize logs from network devices
A central logging server, centralized logging management application (SYSLOG)
What can be used to centralize logs from windows devices
A event log subscriber. A source and a collector. Have the source computer have the collector as an event log reader, enable windows remote management on the source
Describe the 3 major logs available in a Windows environment
SYSTEM: Operating System events
SECURITY: Security events
APPLICATION: Application Events
What are the three events seen in Windows logs?
Information: Events that describe the successful operation of a task, such as an application, driver, or service. E.g. when a network drive loads successfully
Warning: An event that is not necessarily significant, but may indicate a possible future problem
Error: An event that indicates a significant problem such as loss of data or loss of functionality. E.g. if a service fails to load during startup
Audited events appear in which Windows Log?
Security Event Log
Describe how RSYSLOG is configured and deployed on a LINUX computer
Install RSYSLOG
Configure RSYSLOG server to accept remote log messages
Configure RSYSLOG computer to send events to another server using UDP
What are the three default chains in IPtables?
Input chain- Incoming to firewall for packets going to local server
Output chain - Outgoing from Firewall, For packets generated locally and going out of the local server
Forward Chain - Packet for another NIC on local server
What are the three possible actions which can be taken to packets with IPtables?
Accept, Drop, and Reject
Where are RSYSLOG events stored by default in linux?
/var/log/message
Describe the functionality of Splunk
Splunk captures, indexes, and correlates real-time machine data in a searchable repository
Describe the functionality of ELSA
Log receiver, archiver, indexer, and web for incoming syslogs. Web interface to search through several types of logs.
Describe the functionality of Dumpit
Used to generate a physical memory dump snapshot of windows registry
Describe the functionality of Volatility
Analyzes ram in 32 and 64-bit systems as a raw dump or crash dump
Name four stakeholders involved in the IR process
HR, Legal, Marketing, and Management
Describe 6 common network signs of a security incident
BandWidth Consumption: abnormal, non-legit traffic
Beaconing: Traffic leaving at regular intervals from within attempting to phone home
Irregular peer-to-peer communication: abnormal communication between peers could indicate something like illegal file sharing
Rogue Devices: Wireless keyloggers that collect info and transmit to criminal
Unusual traffic spikes: Could be something like increase bandwidth usage or network traffic
Unknown scan sweeps: When a scan is taking place without a known penetration test or routing scan
Describe 10 common host signs of a security incident
Process consumption Memory consumption Hard drive capacity Unauthorized software Malicious processes Unauthorized privileges Data exfiltration Unauthorized changes
Describe any three containment techniques
Segmentation: Limits the scope of an incident by dividing the network into segments by using “barriers” to prevent the spread into other networks
Isolation: Blocking traffic to and from the device or by shutting down interfaces
Removal: Shutdown the device, but not advisable because you can erase volatile evidence
Describe three important things to consider when eradicating a threat
Sanitization: remove all traces of threat by overwriting the drive multiple times
Reconstruction/Reimage: Rebuilding the system after sanitization
Secure Disposal: Dispose a compromised device rather than sanitize
Cleaning: Remove data to ensure data can’t recovered or reconstructed
Purging: Makes data unreadable
Destruction: Destroying the physical media that contains the data
Describe three things you can do to validate that your system is backed up and running secure after a security incident
Patching: Check/install updates (OS, application, anti-virus, firmware)
Permissions: Review all permissions to ensure they’re all set correctly
Scanning: Use a vulnerability scanner to scan affected devices from an incident
Given any of the following compliance laws, determine the application: SOX, HIPAA, GLBA, CFAA.
SOX: Controls accounting methods and financial reporting
HIPAA-Standards/procedures for storing, using, transmitting medical info and healthcare data
GLBA: Provides guidelines for scoring financial info and prohibits sharing financial info with third parties
CFAA: affects entities that might engage in hacking of “protected” computers
Describe the usage of the following frameworks:
NIST SP 800-53, NIST Cybersecurity Framework, ISO 27000, COBIT, ITIL
NIST SP 800-53: Developed by US dept. Of Commerce. Divides controls into
technical, operational, and management
NIST CyberSecurity Framework: IT security, identify, and protect, detect, respond, and recover
ISO 27000: Security program development standard on how to develop/maintain an Info Security Management system (ISMS)
COBIT: Uses process methods to subdivide IT into 4 devices: Plan/Organize, Acquire/Implement, Support, Monitor/Evaluate
ITIL: Informational tech infrastructure library- office of management and budget, primarily concerned with SLAs
What are the five functions in the NIST cybersecurity framework (important!) (be able to apply to a scenario)
dentify, protect, detect, respond, and recover
Describe any three high level policy categories
Acceptable Use Policy: Used to inform users of the actions that we allowed and those that are not allowed
Password Policy: Up to organization to decide
Data Ownership Policy: Covers how the owner of data is identified
Describe five out of the seven categories of controls
Compensative: substitute for primary access control and mitigates
Corrective: Reduce the effect of an attack
Detective: Detect an attack and alert appropriate personnel
Deterrent: To deter or discourage an attacker
Directive: Specify acceptable practice within an organization
Describe 4 types of context based authentication
Time: Permitting or denying access to a company’s resources based on the time of day
Location: The geolocation of the person trying to access the resource, used to identify and authenticate based on where the request originated
Frequency: Based on the frequency of the requests, multiple requests may be somebody initiating a password-cracking attack
Behavior: Tracking the behavior of an individual and locating any discrepancy that arises when they fail to match the behavioral trend
Name any three security issues relates to personnel
Dormant accounts remaining active leading to a disgruntled employee using that account to compromise company resources.
Easily guessed passwords, whereas complex passwords are more difficult to crack
Poor credential management; example: the local and domain administrator have the same username and password
When looking at the lifecycle of accounts which is often overlooked?
The removal/disablement of accounts
Name 3 security issues related to endpoints
Malicious software
People/End Users
Rogue Endpoints
Name 3 advantages of Kerberos
User passwords do not need to be sent over the network
Both the client and server authenticate each other
The tickets passed between the server and client are time-stamped and include lifetime information
Name 3 disadvantages of Kerberos
KDC redundancy is required if providing fault tolerance is a requirement. The KDC is a single point of failure.
The KDC must be scalable to ensure that performance of the system does not degrade.
Session keys on the client machines can be compromised.
Name any 3 security issues related to RADIUS
The RADIUS shared secret can be weak due to poor configuration > default configuration
RADIUS Access-Request messages sent by RADIUS client are not authenticated
Sensitive attributes are encrypted using the RADIUS hiding mechanism
Name any 3 security issues related to TACACS
If TACACS+ applications are compromised on a server, then the server’s account database can be accessed by the attacker
TACACS+ is vulnerable to replay attacks because it uses TCP and provides no security against it
Lack of integrity checking allows an attacker with access to the wire to flip most of the bits in a packet avoiding detection
What is a federation?
A federation is a organization that enforces a common set of policies and standards. Those policies and standards define how to provision and manage user identities, authentication, and authorization.
What is SAML?
SAML(Security Assertion Markup Language) is a security model built on XML and SOAP-based services that allows for the exchange of authentication and authorization data between systems and supports federated identity management.
Name any 3 exploits against identity and authentication
Impersonation
Impersonation
Man-in-the-middle
Session-Hijacking
Describe 3 data analytic methods
Data Aggregation and Correlation
Aggregation is collecting a large amount of data and filtering/summarizing it based on common variables while correlation is the process of locating said variables in the related information
Trend Analysis
Analyzes and tracks the trends on anomalies based on the established security baseline
Historical Analysis
Analysis that is carried out towards a goal to determine the history of a value over a period of time
Describe 3 methods of defense in depth
Security Appliances: Hardware devices that are designed to provide some function that supports the securing of the network or detecting vulnerabilities and attacks. Ex: IPS, IDS, Firewalls, SIEM systems, Hardware encryption devices.
Security Suites: Collection of security utilities combined into a single tool. Ex: Gateway protection, Mail server protection, File server protection, Client protection, Centralized management.
Outsourcing: Third-party involvement that are contractually obliged to perform adequate security activities should be confirmed by the company prior to the launch of any products or services that are a result of third-party engagement.
Describe 4 uses of cryptography
Authentication: Provide authentication by being able to determine the sender’s identity and validity: Digital Signatures
Confidentiality: Ensure the data cannot be read by normal means by encrypting the data by use of a public/private key
Integrity: The use of hash functions to allow valid recipients to verify that data has not been altered.
Authorization: Provides authorization by providing a key to a valid user after that user proves his identity through authentication such as Kerberos and TGT.
Describe 4 types of transport encryption
SSL/TLS: Allows the exchange of private information between two parties. SSL provides encryption, server and client authentication, and message integrity. TLS is more extensible and provides privacy and data integrity between two communicating applications
HTTP/HTTPS/SHTTP: Used on the web to transmit website data between a web server and a web client, the variations of HTTP like HTTPS/SHTTP which provides encryption via SSL/TLS while S\HTTP encrypts only a single communication message, and not an entire session.
SSH: Secure Shell is an application and protocol that is used to remotely log in another computer using a secure tunnel. When the connection is established and after the session key is exchanged all communication between the two is encrypted over the channel.
IPsec: Suite of protocols that establishes a secure channel between two devices.
