SSA

Question 1

(C) ISO

Answer 1

Information security officer – Highest - in charge of security policy. Informing, advising and alerting management on matters relating to information security. Essentially managerial (managing engineers and technicians) Must have good knowledge of networks, systems and InfoSec. Ensuring the company’s data is secure, as well as security awareness training.

Question 2

Security Analyst

Answer 2

looking through logs or vizsec, security policies. Use of information in role implies that the role is more on the management side of things.

Question 3

IDS purpose

Answer 3

IDS provide a better network security. It may achieve success in discovering incidents such as security policy violations, infections, information leakage, unauthorized clients all depending on how it is configured.

Question 4

Is IDS everything?

Answer 4

IDS alert only make up a tiny bit of the data, other tools providing security and gathering data is: Firewalls, NIDS sensors, Routers & switches, server logs, host IDS, finger printing and honey pots.

Question 5

Anomaly Detection 1

Answer 5

Anything that is not flagged is RIGHT must be flagged as WRONG. What if someone need to access email server after the “allowed” time set by the signatures? Or overtime?

Question 6

Anomaly Detection 2

Answer 6

What happens if you do not have the right parameters and dataset? What if hackers are already in before profiling and malicious data are already going inbound\outbound? Så denne tester tempen I et vanlig nettverk og lar den kjøre en stund og det som kjører er det som er greit å kjøre. Obviously raises some issues.

Question 7

Anomaly Detection Pros

Answer 7

• Can detect unknown attacks (zero day)

- Can detect wide ranging categories of known attacks

Question 8

Anomaly Detection Cons

Answer 8

• Things may happen in the defining process
• No protection during the defining process
• Hard to define normal
• “Difficult to understand”
• Even with an optimal configuration it may generate high levels of false positives

Question 9

Misuse Detection Pros

Answer 9

Well defined signatures to minimize false positives.
Based on known unacceptable behavior.
Systems are protected from day 0

Question 10

Misuse Detection Cons

Answer 10

Signatures must be maintained
Cannot detect unknown attacks
Signatures often made too specific generating alot of false positives

Question 11

Anomaly vs Misuse

Answer 11

Misuse most popular, easier to create and maintain. Especially if not fussy about quality or performance.

Anomaly are hard to create, especially without knowing specific about the system making them hard to train. Works against DDoS

Anomaly is also hard to maintain because of the profiling process requiring trained personnel to work on it so make a good signature.

Question 12

Asymmetric Encryption

Answer 12

• Most advantages, because: it allows exchange of public keys and encryption algorithms without compromising secure transmission.
• However, it is computationally expensive meaning it is not suitable for real-time communication.
• Very difficult to crack, even with algorithm and the public key you cannot simply get the private key.
  Relies on the difficulty associated with the factorization of large primes factors.
• Large primes are hard to find, and they cannot be broken down to small prime factors. Meaning an attacker could not easily deduce all the prime factors in the time available.
• A secure solution for now.
• The public key is the number made by multiplying, however we do not know what numbers was multiplied to get the public key number. Impossible to work out what the numbers multiplied was, however if we had one of the two numbers we could work out the other one.

Question 13

Symmetric Encryption

Answer 13

• Danger of key exchange
• Lot less resource intensive than asymmetric (Meaning it can be used for real-time communication)
• Symmetric is where the compromising is at (because of the principle and how it is implemented)
• In theory, as secure as asymmetric presuming its keys are not compromised
• It is whats used in the real world, meaning it is put through a lot of strain and people constantly looking for flaws in it
• People often do not prioritize quality when implementing it in the work world.

Question 14

Ciphers

Answer 14

Two basic types of symmetric cipher:

Stream Cipher – operates on streams of data of unknown size one bit at a time

Block Cipher – operates on blocks of plaintext of known size

Question 15

Data and Log analysis

Answer 15

By using scripts and regular expressions we can simplify the task of analysing security logs and large data sets. Perl is a great language for this type of work because it works best together with Regex and it is optimized for scanning arbitrary text files, and extracting information.

Question 16

Data Visualisation/VizSec

Answer 16

Aims to provide an interface the human mind and the computer

Difficult to automate the analysis of complex data

2D vizsec tools are best for monitoring to avoid a constant attention need.
DAVIX OS with lots of tools for this

Question 17

Security visualization can be broadly grouped into one of three types

Answer 17

Monitoring – Provides an overview of system, real-time updates, starting point for analysts when looking at unusual activity, suspicious activity is flagged

Analysis – provides greater detail of events than monitoring tools, increased level of interactivity

Response – even greater interactivity, ability to annotate events, save histories and group together related events

Question 18

Security Strategies (List the 6)

Answer 18

1 LEAST PRIVILEGE

Question 19

SQL Injection General

Answer 19

SQL Injection – injecting a SQL query using input data from the client to the application.

Successful SQL injection can read sensitive data from the DB, modify data, execute admin operations on the DB

Question 20

Why visualize?

Answer 20

Security applications such as IDS, firewalls are good at logging data. Meaning there will be a ton of logs to read through, using vizsec we can get a graphical interface to read this. This is for most people a better way to see what the IDS is alerting, compared to making sense of all the logs.

Question 21

SQL Injection Prevention

Answer 21

Use prepared statements, stored procedures and escaping all user supplied input.

Question 22

Vizsec purpose

Answer 22

• Provide an interface between two powerful information procressing systems, the humand mind and the computer
• Very difficult to automate the analysis of complex data – computers cannot reason, so better to present it to an analyst and then the analyst makes the decision

Question 23

Why Vizsec

Answer 23

Why do we visualise? Because our security applications (Firewalls, NIDS sensors, Routers & switches, server logs, host IDS, finger printing and honey pots.) are great at logging data.

• But one guy can’t properly look through 1000s of logs everyday.
• “Expertise” is a problem, straightforward to setup an IDS, but only the trained eye can make sense of the logs it makes (for example)

Question 24

Benefits of Vizsec

Answer 24

Basically, a wall of text compared to a simple graphical 2D timeline, of for example events reported by snort, running on the IDS.

Question 25

The What, When, Where Approach

Answer 25

Combining the three (What, when and where) provides a greater understanding of an attack.

Question 26

The What, When, Where Approach (What does each one mean)

Answer 26

What – The type of event that triggered the alert

When – how long ago did it occur

Where – the location of the event, e.g IP address

Question 27

Two important ways of classifying security visualization tools

Answer 27

•   Operating Timeframe – Monitoring, analytical, informational
•  Predominant Data Type – geographical, logical, temporal

Question 28

Sawmill

Answer 28

• Popular universal log file analysis and report tool
• Supports over 800 log formats
• Runs on all major platforms

May for example arrange data geographically

Question 29

SQL Injection Example

Answer 29

Consider this SQL query:

SELECT * FROM Users WHERE Username=’$username’ AND Password=’$password’

This is used to in web applications in order to authenticate users. If this query returns a value it means the user exists and the user may login to the system, otherwise access is denied. These values are of course obtained from the user with a web form.

Suppose we insert the following username and password values:

$username = 1’ or ‘1’ = ‘1
$password = 1’ or ‘1’ = ‘1 

This means the query will be:

SELECT * FROM Users WHERE Username=’1’ OR ’1’ = ‘1’ AND Password=’1’ OR ‘1’ = ‘1’

If this is used as a GET method, the query would return values, because the condition Is true.

http://www.example.com/index.php?username=1’%20or%20’1’%20=%20’1&password=1’%20or%20’1’%20=%20’1
(OR 1=1)

This means the system has authenticated the user without knowing the username and password.

Question 30

IDS glossary (List the 7)

Answer 30

• Misuse Detection
• Anomaly Detection
• Evasion Techniques
• Event Horizon
• Base-rate fallacy limitation
• False Positive
• False Negative

Question 31

IDS glossary - Misuse Detection

Answer 31

Detecting activity that matches patterns of unacceptable behaviour

Question 32

IDS glossary - Anomaly Detection

Answer 32

Detecting deviations from acceptable behaviour profiles

Question 33

IDS glossary - Evasion Techniques

Answer 33

Intrusion detection system evasion techniques are modifications made to attacks in order to prevent detection by an intrusion detection system (IDS).

Question 34

IDS glossary - Event Horizon

Answer 34

The number of packets that must be collected and cached by a sensor so that an attack spread over multiple packets can be detected.

Question 35

IDS glossary - Base-rate fallacy limitation

Answer 35

• This limitation occurs when the volume of information reported, overloads the observer and by this, it prevents being detected by the IDS

Question 36

IDS glossary - False Positive

Answer 36

A false alarm that is not related to misuse or behaviour deviation

Question 37

IDS glossary - False Negative

Answer 37

A misuse event or behaviour deviation that is not detected

Question 38

Security Strategies - Least privilege

Answer 38

• Each user, minimum access
• In case a user is breached the escalation is limited
• Don’t let software run with more privilege than they need
• Mandatory UAC
• App armor

Question 39

Security Strategies - Defense in depth

Answer 39

• Multiple layers of security
• Don’t put all your eggs in one basket
• Unwise to depend solely on a single security product
• Use complimentary systems

Question 40

Security Strategies - Choke point

Answer 40

• Narrowing down to a single point of entry
• Makes it very easy to monitor
• Concentrate defences in one place
• Completely useless if there are other ways into the network
• If employees have remote access, it’s fine but it must be monitored
• Consider BYOD

Question 41

Security Strategies - Weakest link

Answer 41

• People are the weakest link
• Ensure the weakest link is strong
• Physical access usally the weakest points in netsec (Doors/windows open at night)

Question 42

Security Strategies - Diversity in defense

Answer 42

• NOT to be confused with defense in depth
• Having a diverse number of vendors
• E.g bug in Cisco switches but not in HP

Question 43

Security Strategies - Fail-safe stance

Answer 43

• If you fail, fail safely and quickly
• Turn it off and they can’t get in (last hope)
• If security should fail, let it fail in a way that denies the intruder