Security Operations Flashcards
The concept that no single individual has complete authority or control of a critical system is known by which term?
Separation of duties
What 3 advantages does separation of duties provide?
- Reduces opportunities for fraud or abuse
- Reduces mistakes
- Reduces dependence on individuals
The concept involving regularly transferring key personnel into different positions or departments within an organisation is otherwise known as what?
Job rotation
What are 3 advantages of job rotation?
- Reduces opportunities for fraud or abuse
- Eliminate single points of failure
- Promote professional growth
What are 4 advantages of mandatory vacations?
- provides opportunity to uncover fraud or abuse
- Reduce individual stress, thus reducing the potential for mistakes or coercion by others
- Discover inefficient process with another individual performs role in their absence.
- Reveal single points of failure and opportunities for job rotation and separation of duties/responsibilities
What is the concept of “Need-to-know”?
- states that only people with a valid to need to know certain information in order to perform their job functions, should have access to that information.
- user must have relevant security clearance
What is the principle of “Least Privilege”?
persons should have the capability to perform only the tasks that are required to perform their primary jobs and nothing more.
What is the difference between the concepts of “Need-to-know” and “Least Privilege”?
“Need to know” is concerned with access control whereas “Least privilege” is concerned with functionality.
How can the “accumulation or privileges” occur?
When an employee moves to another role within the same organisation, but previous access rights are not revoked.
What is the main benefit of server virtualisation?
Reduces single point of failure as a virtual server can be replicated or moved from one physical server to another.
What things should be considered for systems regarding single points of failure?
- Redundant Power Supplies
- Multiple Power Supplies
- Cooling Fans
- RAID (Hot swappable)
- Can the system be clustered or virtualised?
- Can data be replicated to another system in real time?
What things should be considered for networks regarding single points of failure?
- Do routers/ firewalls failover automatically and do they fail-back?
- Do routers have multiple paths available to network destinations?
- Do you have multiple service providers and do they share the same point of presence (POP)?
- What happens if the connection to your telecommunications provider’s central office is cut?
- Do your multiple telecoms providers networks go through the same telecoms hotel?
What is a telecoms hotel?
The facility that houses equipment belonging to many different telecoms providers
What things should be considered for processes regarding single points of failure?
- Do your personnel security policies and practices create single points of failure? ie you might have separation of duties, but not rotation of duties.
- Do you have contingency processes in place in case a primary system, process or person is unavailable?
4 key elements of handling sensitive information:
- Marking
- Handling
- Storage and Backup
- Destruction
When a system failure occurs, in which type of environment may access be lost?
Fail-soft or fail-closed
When a system failure occurs, in which type of environment will access be open to all?
Fail-open
When a system crash occurs, what term is used to describe the system when access has been restored?
Fail-back
What term is used to describe strategic and tactical errors that an organisation can face whether by performing an action or failure to perform an action?
Errors & Omissions (E&O)
What is Errors & Omissions liability otherwise known as in legal terms?
Professional Liability
What term is used to describe software that typically damages or disables, takes control of, or steals information from a computer system?
Malware
Name 9 common types of malware:
- Adware
- Backdoors
- Bootkits
- Logic Bombs
- Rootkits
- Spyware
- Trojan Horses
- Viruses
- Worms
Which type of malware uses pop-up advertising programs?
Adware
Which type of malware uses malicious code that allows an attacker to bypass normal authentication to allow an attacker to gain access to a compromised system?
Backdoor
Which type of malware is a kernel mode variant of a rootkit, commonly used to attack computers that are attacked by full disk encryption?
Bootkits
Which type of malware used malicious code that is activated when a specific condition is met, such as a particular date or event?
Logic Bomb
Which type of malware used malicious code to provide privileged (root level) access to a machine?
Root-kit
Which type of malware uses malicious software that collects information without a users knowledge and/or interferes with the operation of a computer by redirecting them to a web browser or installing additional malware?
Spy-ware
Which type of malware uses malicious software that masquerades as a legitimate program?
Trojan Horse
Which type of malware uses malicious code that requires a user to perform a specific action to become active such as clicking an executable, attachment or link to become active?
Virus
Which type of malware uses malicious code that is spread rapidly across a network without any user interaction required to activate it. This type of malware typically exploits known vulnerabilities and flaws that have not been patched.
Worms
What term would be used to describe an individual machine that has been infected with malware and is under the control of the attacker?
Bot
What is a Bot-herder?
An attacker that uses malware to take control of the infected system.
What is a botnet?
- A network of infected machines (bots)
- They typically have many command and control servers distributed all over the internet which gives the botnet a resilient distributed infrastructure.
What is an Advanced Persistant Threat (APT)?
targeted intrusions used by groups that use sophisticated botnets to attack a specific target such as an enterprise or government network.
What are the 5 main system security controls?
- Preventative
- Detective
- Corrective
- Automatic
- Manual
What are the 6 main operational controls?
- Resource Protection
- Privileged Entity Controls
- Change Controls
- Media Controls
- Administrative Controls
- Trusted recovery
What operational control is used to protect information assets and information infrastructure?
Resource Protection
Resource Protection can be categorised into 6 areas. What are they?
Comms hardware and software Computers and their storage systems Business Data System Data Backup Media Software
Which Operational Control describes the mechanisms, generally built into the computer OS, which give privileged access to hardware, software and data?
Privileged entity controls
What are the two prevalent forms of change control?
Change Management and Configuration Management
Approval based process that ensures only approved changes are implemented is known as what?
Change Management
the controls hat records soft-configuration and software changes with approval via the change management process is known as what?
Configuration Management
information classifications and physical media control are controlled by which operational control?
Media Control
Least privilege, Separation of duties and rotation of duties are categorised under which operational control?
Administrative Controls
Documented processes and procedures for system recovery fall under which operational control?
Trusted recovery
What are four common reasons for having system audit trails in place?
- Accountability
- Investigation
- Event reconstruction
- Problem identification
List 9 common types of penetration testing:
Port scanning Vulnerability scanning Packet sniffing War dialling War driving Radiation Monitoring Dumpster diving Eaves dropping Social engineering
What is port scanning?
The scanning of a target machine across a network for open un-used ports, that should either be de-activated or patched.
Name 3 examples of port scanning tool?
Nmap
Nessus
SATAN
What is vulnerability scanning?
A means of identifying exploitable vulnerabilities in a system
What is packet sniffing?
A tool that captures all TCP/IP packets transmitted on a network or device
How does packet sniffing differ on a switched media LAN?
Sniffers on switched-media LANs generally only pick up packets intended for the device running the sniffer
What mode is used were a network adapter accepts all packets, not just packets destined for the system, and sends them to the operating system?
Promiscuous Mode
What is war dialling?
War dialling is used to sequentially dial all phone number in a range to discover any active modems
What is war driving?
War driving is the 21st century version of war dialling. Someone uses a laptop with a wireless LAN card and drives around densely populated areas looked for unprotected or poorly protected wireless LAN’s
What is radiation monitoring?
The practice of determining what data is being displayed on monitors, transmitted on LAN’s or processed on computers using radio frequency/electromagnetic emanations.
What is dumpster diving?
Exactly what it says
What is eavesdropping?
Exactly what it says
What is shoulder surfing?
Watching them work with discreet over the should glances
What is social engineering?
active way of physically getting information form workers. low tech can involve a hacker masquerading as someone else
What are the two common types of intrusion detection systems?
Network based IDS
Host based IDS
What two methods are used by IDS?
- Signature based
- Anomaly based
What is signature based IDS?
- compares network traffic that is observed with a list of patterns in a signature file. Downside is that it only detects known attacks and has to be periodically updated
What is anomaly based IDS?
- monitors all traffic on a network and build traffic profiles. over time the IDS will report deviations from the reports that it has built. Downside is that you may have higher false positives
What is the difference between behaviour/heuristic based IDS and anomaly based IDS?
Rather than detecting anomalies to normal traffic patterns, behaviour-based and heuristics-based systems attempt to recognise and learn potential attack patterns.
What is the difference between IPS and IDS?
IPS detects and blocks intrusions, whereas IDS simply detects them
What term is used to describe the science of examining activity and audit logs to discover inappropriate activity?
Violation Analysis
What does violation analysis use as thresholds for differentiating violations from non-events?
Clipping levels
Describe an example of where clipping levels are used?
the number of login attempts failed on a system per hour. if the limit (clipping level) is exceeded within that hour, then a violation has occurred.
What is keystroke monitoring?
the recording of all input activities on a terminal or workstation.
What is traffic and trend analysis?
monitoring of the activities of an individual or organisation, based on the type and volume of traffic on a network.
Name 4 types of physical monitoring?
- watching logs of buildings with card-key access control
- monitoring unmanned entrances, ie CCTV
- Staffing key locations with security guards
- installing and monitoring security alarm sensors
What is the process of detecting, responding and fixing a problem known as?
incident management or problem management
What is a system operator?
normally found in data center environments. managing infrastructure.
What is the extent of the security admins role in relation to background checks?
checking that they have been completed prior to assigning accounts.
What is Account Validation?
Period reviewed of inactive accounts
In the US, US Civilian Government Agencies are required to report breaches of personal identifiable information to whom with a n hour of occurring?
US-CERT (US Computer Emergency readiness Team)
What is Root Cause Analysis? (RCA)
asking why until there is only one answer
What is the difference between incident management and problem management?
Incident is concerned with managing an adverse event, whereas problem management is concerned with tracking the event back to its root cause. Incident limits the affect whereas problem addresses defects
What can be obtained from the following?
cve. mitre.org (Common Vulnerability Exposure Database)
nvd. nist.gov (Online database of known vulnerabilities managed by NIST
www. cert.gov (online resource for a wide variety of information on known vulnerabilities
What is the last step of the patch management process?
Documentation
What are two characteristics of a SAN?
- dedicated block level storage on a dedicated network.
- utilise protocols like iSCSI to appear to operating systems as locally attach devices
What is a NAS?
designed to simply store and serve files, ie FTP server, file server
What term is used to describe multiple disks used for a single partition?
Concatenation (a concatenated disk will appear tot the OS as a single drive
RAID levels:
- RAID 0:no redundancy
- RAID 1:mirroring. ocstly due to needing double the disk space.
- RAID 2:theoretical and not used in practice.
- RAID 3:requires 3 or more drives. data is striped at byte level. has a dedicated parity drive to reconstruct data
- RAID 4: requires 3 or more drives. data is striped at block level. has a dedicated parity drive to reconstruct data
- RAID 5: requires 3 or more drives. parity information accross all drives.
- RAID 6: extends capabilities of RAID 5. dual parity. accommodates failure of two drives however performance is poor and not widely used.
- RAID 0+1: uses two different sets of disks. one for striping and for mirroring data to different set of disks.
- RAIS1+0: Each drive is mirrored to amatching set. wen data is striped to one it is immediately striped to the other. (better for speed and redundancy)
Which type of RAID is most commonly used?
RAID 5
What is RAIT?
Redundant Array of Independent Tapes. used for tape media
