2.1 Explain the importance of security concepts in an enterprise environment

Question 1

Explain the security concepts of CONFIGURATION MANAGEMENT

Answer 1

Configurations are changing constantly. OS’s are changing, there will be patches, updates, network modifications, new application instances, etc. You need to document hardware and software settings to be able to rebuild the baseline in case a disaster occurs.

Question 2

Explain DIAGRAMS in configuration management

Answer 2

This is part of the documentation that you will be noting for a baseline configuration. You need to document network diagrams like the physical wire or device, you need to have a diagram of the physical data center layout, even individual device diagrams like individual cabling. Diagrams are useful to keep track of all the hardware and software configs in case of an incident.

Question 3

Explain the BASELINE CONFIGURATION in configuration management

Answer 3

You will need to keep a well defined baseline configuration of an application environment like standard firewall settings, up-to-date patch levels, up-to-date OS versions. Over time, this will need to be updated in the baseline documentation to account for these changes. This documentation helps to perform integrity checks so that you can make note of any deviation in the system and see what that deviation is doing exactly.

Question 4

Explain STANDARD NAMING CONVENTIONS in Configuration management

Answer 4

This is to be easily understood by everyone and allows for accountability and easier IDing of these devices. Things like asset tags and numbers, computer names, serial numbers, etc. Even with networks like port numbers, Vlans, etc. Even with domain configurations, there should be a standard for user names, email addresses, etc.

Question 5

Explain INTERNET PROTOCOL (IP) SCHEMA in Configuration Management

Answer 5

It is to ensure there is consistent addressing for network devices. It helps to avoid duplicate IP addressing. It can also allow for you to sent a standardization for the number of subnets and hosts per subnet.

Question 6

Explain DATA SOVEREIGNTY

Answer 6

Data sovereignty is data that resides in a country and is subject to the laws of that country. Some laws may prohibit where data is stored like the GDPR(General Data Protection Regulation) states that data collected on EU citizens must be stored in the EU. These laws have complex mesh of technology and legalities. Compliance laws may prohibit you from moving data out of the country.

Question 7

Explain DATA PROTECTION

Answer 7

Without the protection of data, an organization can go out of business. Data is everywhere(storage device, on a network, in a CPU). You can protect data with encryption, security policies, etc. Data should have permission because not everyone should have access to data. Not everyone has the need to know and clearance.

Question 8

Explain DATA LOSS PREVENTION (DLP) in Data protection

Answer 8

The point of DLP or Data Loss Prevention is to stop the data leakage before attackers can get ahold of it. There are so many sources of data, that multiple DLP solutions need to be in place to safeguard against data loss. There are data loss prevention systems, USB blocking on workstations and servers, cloud-based DLP that manages access on the network to the cloud, and Email DLP because email has been the most critical risk factor for data loss.

Question 9

Explain MASKING in Data Protection

Answer 9

Data masking is data obfuscation that hides some of the original data. It is used to protect PII and other sensitive data. It may only be hidden from view and intact and stored in a a server somewhere; we just need the right permissions in order to view the data. Data masking can be many different techniques like substituting, shuffling, encrypting, masking out, etc.

Question 10

Explain ENCRYPTION in Data Protection

Answer 10

Encryption is used to encode information into unreadable data. Original info is plaintext and encrypted info is ciphertext. It is a two way street because you can convert between one and the other if you have the proper key, of course. It is meant to confuse the threat because the encrypted data is drastically different than the plaintext.

Diffusion means to change one character in the input, and the result is many different characters in the ouput.

Question 11

Explain DATA AT REST in Data Protection

Answer 11

Data-at-rest is data that is on a storage device like a hard drive, SSD, flash drive, etc. In order to protect the data, we need to encrypt the data either through whole data encryption, database encryption, file-or folder-level encryption, etc. You can also protect the data by applying permissions like access control lists where only authorized users can access the data.

Question 12

Explain DATA IN TRANSIT/MOTION in Data Protection

Answer 12

Data-in-transit/motion is data that is transmitted over the network. There is not much protection as it travels through the many different switches, routers, devices, etc. We might set up a firewall or IPS to help protect this as it goes over the network. Another way to protect this data as it travels is by providing encryption like TLS(Transport Layer Security) or IPSec(Internet Protocol Security).

Question 13

Explain DATA IN PROCESSING in Data Protection

Answer 13

Data-in-use/processing is data that is actively processing in memory like system RAM, CPU registers and cache. The data is almost always decrypted in order to perform quick calculations; otherwise you can’t do much with it. This makes this data very attractive to attackers to steal it out of the RAM.

Question 14

Explain TOKENIZATION in Data Protection

Answer 14

Tokenization is the process of replacing sensitive data with a non-sensitive placeholder. It completely replaces the sensitive data with temporary data and this is common with credit card processing. This isn’t encryption or hashing because the original data and token aren’t mathematically related and there is no encryption overhead.

Question 15

Explain RIGHTS MANAGEMENT in Data Protection

Answer 15

Information rights management controls how data is used and can be seen in Microsoft office documents, email messages, and PDFs. It will restrict data access to unauthorized persons like preventing copy and paste, control screenshots, manage printing, restrict editing, etc. Each user is given their own set of rights and the attacker has limited options.

Question 16

Explain GEOGRAPHICAL CONSIDERATIONS

Answer 16

There are legal implications when it comes to geographical considerations for data. You need to consider business regulations vary between state to state. For recovery sites outside the country, personnel must have a passport and be able to clear immigration. Always refer to your legal team. You also need to consider offsite backups and if they are organization-owned or third-party owned. You need to consider offsite recovery, disaster recovery, business continuity, travel considerations, etc.

Question 17

Explain RESPONSE AND RECOVERY CONTROLS

Answer 17

Attacks have become so frequent and complex that incident response and recovery has become commonplace. It is important to establish and incident response plan so that everyone can know how to respond to the attack and future attacks to mitigate the damage done. This is why documentation is important, IDing the attack, and containing the attack as well. It is also important to limit the impact of the attacker by limiting the data exfiltration and access to sensitive data as well.

Question 18

Explain SECURE SOCKETS LAYER(SSL)/TRANSPORT LAYER SEUCRITY(TLS)

Answer 18

These are encryption methods that are normally used when sending traffic on port 443 or HTTPS. While all the data is encrypted, it is possible to inspect the encrypted data to make sure there isn’t anything malicious in the data. In order to do so, SSL/TLS relies on trust from both endpoint devices in order to encrypt, we need to insert ourselves in the middle with a specially configured machine to examine the data to verify there is nothing malicious about it.

Question 19

Explain HASHING

Answer 19

It is when you represent data as a short string of text. It’s a one way trip. It is impossible to recover the original message from the digest. It is used to store passwords/confidentiality. It is used to do integrity checks to see if the document is the same as the original. It can also be used for digital signatures as well. It is possible to have a collision with hashes where two different messages have the same hash. This is very rare though.

Question 20

Explain API CONSIDERATIONS

Answer 20

An API (Application Programming interface) controls software or hardware programmatically. You need to learn to secure and harden the login pages for API. An attack that can occur is an on-path attack where a person can intercept and modify API messages or replay API commands. Another attack is an API injection where data is injected into an API message. DDoS is one API call that can take system down. This is why companies will have additional API security that stresses authentication and authorization. We will often also have web application firewalls.

Question 21

Explain SITE RESILIENCY

Answer 21

With site resiliency, a recovery site is prepped and data is synchronized to this location in case of a disaster. When a disaster occurs, business processes failover to the alternate processing site. It could take hours, days, months, or longer for the problem to be addressed. There needs to be documentation to process how to go back between the backup site and the main site.

Question 22

Explain a HOT SITE in site resiliency

Answer 22

It is an exact replica to the original site. It is stocked with hardware and constantly updated. You need to buy two of everything. Applications and software are constantly updated because an automated replication. All you need to do is flip a switch and everything moves.

Question 23

Explain a COLD SITE in site resiliency

Answer 23

It is a site that has no hardware and it’s an empty building. It has no data so you have to bring it with you. There are no people there as well so everyone will have to go with you.

Question 24

Explain a WARM SITE in site resiliency

Answer 24

It is a site that has just enough to get going. It is a big room with a rack space so you have to bring the hardware. Your hardware is ready and waiting. You just need to bring the software and data.

Question 25

Explain a HONEYPOT in deception and disruption

Answer 25

It is a system that attracts the bad guys and traps them there. The attacker is probably a machine and we can analyze the methods and procedures they take in exploiting a machine. There are many different options like Kippo, Google Honeypot, Wordpot, etc. It is a constant battle to discern the real from the fake.

Question 26

Explain a HONEYFILE in deception and disruption

Answer 26

They are bait for the honeynets and the alert is sent if the file is accessed. A honeyfile is a virtual bear trap.

Question 27

Explain a HONEYNET in deception and disruption

Answer 27

A honeynet are multiple honeypots.

Question 28

Explain a FAKE TELEMETRY in deception and disruption

Answer 28

It is when the attacker sends malicious data that the machine learning model thinks is actually good data. Companies can train machines to interpret big data to identify the invisible. Machines will learn how malware looks and acts and respond malware based on actions instead of signatures.

Question 29

Explain a DNS SINKHOLE in deception and disruption

Answer 29

It is a DNS that hands out incorrect IP addresses because an attacker can use these incorrect IP addresses to redirect users to malicious sites.