Security Operations Flashcards
Planning
security should be consider prior to development
Provisioning
prep for deployment and instantiating user, system, or service
Security baseline and configuration management key principles
Baseline configuration
need well-vetted hardened baseline configuration
Building baseline configuration
don’t start from scratch
Determine reasonable starting point
establish consistent configuration across the majority of the systems
Reduce time to recover a deployed system
Infrastructure as a Service (IAAS)
Platform as a Service (PAAS)
Software as a Service (SAAS)
Root access
Web Service
Gmail
Cloud Server (Provisioning)
Vuln - weakness present in preconfigured image
Types of Firewall
Packet Filter
Stateful
Proxy
Next Generation Firewalls (NGFW)
Packet filtering firewall
examines each packet independently
No idea where packet came from
fast, not secure.
ACL on some devices
Firewall: Stateful
Slower
Lookup table
Proxy Firewall
2 TCP connection for each request, client & server
In between, inspect, process packets at all seven layers
Firewall: Circuit Level
Operates at session layer
does not use application level proxy software
SOCKS - replaces network connection with socks call
Firewall: Application Level
Proxy server software/Layer 7
Act as in between, moves packet from one network to another
Firewall: Next Generation Firewall (NGFW)
packet inspection beyond ports/protocols
Bastion Host
Host that is outside the firewall
Firewall: Host-Based
e.g Windows Firewall/McAfee, etc…
Intrusion Prevention Systems (IPS)
False positive on IPS cause outages
IDS - passive
IPS - active - think pen test so that why it will stop can cause outage
Malware Detonating Devices (MDD)
Sandboxin
Isolate and try to see what would happen
Basically isolated denotation
Sandboxing Capabilities
Malware checks to see if it is connected to internet before it detonates
IDS
Sniff traffics/sniffer with rules
Passive - sent alert (Does not stop attack)
Active - stop attack (sending resets)
IDS True Positive True Negative False Positive False Negative
True Positive - real attack
True Negative - normal traffic
False Positive - sets off alert and normal traffic
False Negative - does not set off alert and it is attack traffic
Signature Matching
Detect pattern/detects on existing patterns
Will not detect on new patterns, polymorphic malware, or encrypted traffic
Protocol Behavior
detects protocol, syn, syn-ack, ack
False positives on complex/non-standard protocols
Honeypot
designed to be hacked into/public facing
Security Information and Event Management (SIEM)
Devices to view logs for events that are triggered
Audit Logs
Process: must be reviewed
Audit Trails
Individual conducting Transactions
Date
Time
Location(workstation)
Preparing Incidents
Critical decisions must be made before it happens:
pursue legal actions
what actions are authorized to be taken
Understand root cause or reimage/revert
Allowed to attack attackers to persist gain intelligence
templates needs to be built for data gathering
Security Incidents: External Attacker
attacking back is a bad idea
IP is a pivot point so might not be the actual attacker IP
Security Incidents: External Attacker Logs
Attackers will erase their tracks
Look for all systems that might have been connected to all offending IP addresses
Security Incidents: Incident Handling
Preparation Detection (Identification) Response (Containment) Mitigation (Eradication) Reporting Recovery Remediation Lessons learned
Security Incidents: Detection
Do not jump to conclusion
Notify the correct people
use help desk to track trouble tickets and problem
Need primary handler
SMART Guidelines
Specific Measurable Achievable Realistic Timely
Security Incidents: Response
Incident handler should not make things worse
Secure the area
Make a forensic backup
Pull system off the network
Security Incidents: Mitigation
Fix system before putting it back online Determine cause & symptoms Improve defense Perform vuln analysis Analogy (Car accident): Response - EMT stability patient Mitigation - Doctor heal patient
Security Incidents: Reporting
Occurs through all phases
Need technical & Non-technical reporting
Common mistake: focus on technical report only
Reporting less formal during incident and more formal as it approaches being handled and recovered
Security Incidents: Recovery
Do not restore compromised code
validate system
monitor: make sure the attacker does not come back in
Security Incidents: Remediation
Occurs in phases
Short term - change pw of affected users/patching affect systems
Long term - reconfig systems to use dual factor auth
improve org patching process
Security Incidents: Lesson Learned
conduct lessons-learned meeting
send recommendations to management (ask for money, resources, etc..)
Conduct follow up meeting
Forensic Investigation
Thorough and detailed analysis
greater expectation that legal system could be involved
presumes a violation might have been committed
Incident Response
immediate limiting of averting operation impact
Types of evidence
Direct - first hand witness
Circumstantial - testimony from first hand witness of circumstances related to the legal matter
Expert - opinion/interpretation from expert
Hearsay
second hard, rather than direct
Business records - 2nd hand
Disk/memory are not treated as hearsay
Chain of custody
integrity & authenticity
Document time, location, & manner of collection
specify individual responsible for control of evidence
Employ tamper resistance/evidence storage
Attestation
Ensure chain of evidence control can be reviewed
EDiscovery
All data gets handed over, NO EXCEPTION
RAID 0
double of in size (stripe) - write on disk A, then disk B and so on and so on
No redundancy
RAID 1
Mirroring
RAID 2
Needs 39 disk (32 disk for data, 7 for error recovery)
RAID 3/4
RAID 3- byte level
RAID 4- block level
dedicated parity drive
RAID 5
Block level
Striping of data across disk
Parity information striped across disk
RAID 6
Like RAID 5, block level
Double the parity
Electronic vaulting
batch processing
send data to remote server
Remoting Journaling
transmitting data in real time to backup storage
think of SQL trans log
Database Shadowing
same as remote journaling
storing duplicate data on multiple remote storage devices
Disk duplexing
disk controller is duplicated
Backup Concept: Full Backup
Full backup
Backup Concept: Incremental Backup
backup files that have been created/modified since last backup
Set archive bit to 0
Changes from the previous day
need a lot of tape to restore
Backup Concept: Differential Backup
backup files that have been created/modified since last backup
does not set archive bit to 0
Only need last full backup and the differential tape
Backup only changes from Sunday to the previous day, not day to day comparison
Business Continuity Plan (BCP)
business remain viable even in the face of disaster
NIST SP800-34 REV1
Continuity of Operations (COOP)
Subset of BCP
recover critical functions rapidly
Disaster Recovery Plan (DRP)
detailed steps to restore critical information and systems
BRP long term, DRP short term
Recovery Time Objective (RTO)
measure of when the system will be back online
Work Recovery Time (WRT)
length of time after hardware/software restored to when normal operations are able to resume
Maximum Tolerable Downtime
MTD = Recovery Time Objective (RTO) x Work Recovery Time (WRT)
Recovery Point Objective
amount of data that be lost for a critical function
Site Recovery Strategies
Self-Service - handle disruption within current facilities
Reciprocal Agreement - agreement with another
entity to help one another during disruption
Alternate Sites: Hot, warm, cold, hybrid, mobile
Alternate Sites
Hot - fully equipped and staffed
Warm - pre-equip but not ready to go
Cold - empty facility
Hybrid - combination of hot/cold/warm - Hot/Cold - Immediate failover/long-term disaster use cold site
Mobile- think of office on wheels
Multiple processing site - mirror location, different locations - think mirror
Read-Through, checklist, consistency testing
reviewing plan to ensure all areas are covered
Structural Walk through
step through plans looking for errors or false assumptions
Simulation/Tabletop
test with mock up scenarios
Parallel
recover to alternate site while main site is running
Full Interruption
full fail over to alternate site
Training (BCP)
how to operate alternate site
how to start emergency power
how to perform a restorative backup
Physical security & safety
Safety #1 In event of disaster Personnel safety Authorized access Equipment protection Information protection Availability
