401_2 Flashcards
(141 cards)
1
Q
Why are most worms successful?
A
A prevalence of undefended perimeters
OSs are left unchanged and unpatched
One application automatically installing another.
2
Q
What is the CIA triad?
A
Confidentiality, Integrity, and Availability
3
Q
What is Risk?
A
The probability of a threat crossing or touching a vulnerability
4
Q
What is the impact of vulnerabilities in the risk calculation?
A
Vulnerabilities reduces the risk
5
Q
How does threat affect risk?
A
Threats drive the risk calculation
6
Q
What is the key focus of risk?
A
Confidentiality / Disclosure
Integrity / Alteration
Availability / Destruction
7
Q
What are the primary threats?
A
Malware
Insider
Natural Disasters
Terrorism
8
Q
What is a threat?
A
Any activities that represent possible danger to information or operation.
Anything that would negatively impact CIA.
Threats are the agents of Risk
9
Q
What is the relationship between vulnerabilities and threats?
A
Vulnerabilities are the gateway by which threats are manifested.
10
Q
What is a vulnerability?
A
A weakness in a system or process that could be exploited by a threat
11
Q
What are the primary vulnerability types?
A
Software
Electronic
Human
Physical
12
Q
What are the 4 approaches to Defense-in-Depth?
A
Uniform protection
Protected enclaves
Information centric
Threat vector analysis
13
Q
When discussing Defense-in-Depth, how does uniform protection treat all system?
A
As equally important
Gives no special consideration or protection to the critical intellectual property of an organization.
14
Q
To what type of threat is the uniform protection approach to Defense-in-Depth most vulnerable?
A
Insider
15
Q
What two things are needed to manage configurations?
A
A baseline
A way to detect when a change occurs to the baseline
16
Q
What are the dangers associated with malware?
A
Destroying Data
Leaking Information
Providing Backdoor Access
17
Q
An effective malware defense strategy should incorporate the following items.
A
- Antivirus software at multiple locations
- up-to-date virus signature files
- A practice of reviewing and installing security patches
- Lock-down of system configuration and dangerous application features
- Blocking file attachments (#1 to stop email viruses)
18
Q
What are the 3 primary defensive techniques incorporated into an antivirus product?
A
Scanners
Activity monitors
Integrity checkers
19
Q
What is another word for Activity monitors?
A
Behavior blockers
20
Q
List 2 examples of integrity verification software
A
Tripwire
AIDE
21
Q
What are some classic locations for antivirus products?
A
Workstations
File and print servers
Mail servers
Internet gateways
22
Q
What is a security policy?
A
It establishes what you must do to protect information stored on computers and contains sufficient definition of “what” to do so you can identify, measure, or evaluate the “how.”
23
Q
How does a security policy protect people?
A
Allows people to take necessary actions without fear of reprisal
compels the safeguarding of information
eliminates, or at least reduces, personal liability
24
Q
How do you sell the need for a security policy to executives and users?
A
To sell to executives talk about the money
To sell to users talk about how it makes their job easier
25
Why does an organization need a security policy
Protects the org, the people, and the info
Establishes what must be done to protect information stored on computers
Protects people who are trying to do the right thing
26
What does a mission statement have to do with information security?
It allows security workers to be sensitive to the needs of the business
27
What is the foundation for evaluating policy?
A baseline of the existing documentation
28
What do policies address
The who, what,and why
29
What do procedures address
The how, where, and when
30
What is a policy
A directive that indicates a conscious decision to follow a path towards a specified objective.
31
What is a standard
Specifies a certain way something should be done or a certain brand or type of equipment that must be used.
32
What is a baseline in relationship to a standard
A baseline is a more specific implementation of a standard and gets into the specific technical details of how a system should be configured. I.e. Hardening Guides
33
What are guidelines
Suggestions to assist users, systems personnel, and others in effectively implementing policies and procedures. I.e., recommendations.
34
What needs to be included in a policy
```
Purpose
Related documents or references
Cancellation or expiration
Background
Scope
Policy Statement
Responsibility
Action
```
35
How must a policy statement be written?
Clear, concise, and meet SMART objectives
| Contain the guiding principles and 5 Ws (who, what, when, where, and why)
36
With what other policies should the security policy be consistent?
Mission Statement
Program Policy
Issue-Specific
System-Specific
37
What should be followed when creating a security policy?
State the issue
Identify the players (maintainer, HR, legal, management)
Find all relevant documentation that may exist
Define the policy - including all necessary sections
Identify penalties for non-compliance
Make sure it is enforceable
Submit for review and approval
38
What is an NDA
Non-Disclosure Agreement
39
What three elements must be sent in order to register a copyright with the Library of Congress
Properly completed application form
Application fee (currently $30)
"Deposit" (sample copy) of the work
40
What is a Business Continuity Plan (BCP)?
A plan for emergency response, backup operations, and post-disaster recovery maintained as a part of a security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.
41
What is a Disaster Recovery Plan (DRP)?
a plan that covers the tactical recovery of IT systems in the event of a disruption or disaster
42
Business continuity activities form a _______ over a crisis situation, while disaster recovery activities are a ________ of business continuity activities.
umbrella
| subset
43
Name the six key components to a Business Continuity Plan?
```
Assess
Evaluate
Prepare
Mitigate
Respond
Recover
```
44
What is the primary goal of the Business Impact Analysis?
To determine the maximum allowable (or tolerable) downtime for any given system.
45
List five mistakes that are commonly made in contingency planning
```
Lack of BCP testing
Limited scope
Lack of prioritization
Lack of plan updates
Lack of plan ownership
Lack of communication
Lack of security controls
Inadequate evaluation of vendor suppliers
Inadequate insurance (loss of life)
```
46
What are the two primary categories of data classification?
Public / Non Classified / Non Confidential
| Private / Classified / Confidential
47
What are the five DoD and federal classification levels
```
Top Secret
Secret
Confidential
Sensitive But Unclassified (SBU)
Unclassified
```
48
With respect to access control what does acronym IAAA represent?
Identity
Authentication
Authorization
Accountability
49
Authentication is proving that you are who you say you are and is done in what four ways?
Something you know
Something you have
Something you are
Someplace you are
50
What are the four principles associated with access control that you should utilize to make sure your security is as robust as it can possibly be?
Least Privilege
Need to Know
Separation of Duties
Rotation of Duties
51
What are six common types of access control?
```
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-based Access Control (RBAC)
Ruleset-based Access Control (RSBAC)
List-based Access Control (LBAC)
Token-based Access Control (TBAC)
```
52
User accounts, data, and their relationships must be actively maintained is a process called ________ and consists of what four tasks?
Access Management
| Account Administration, Maintenance, Monitoring, and Revocation
53
What are some common ways of implementing SSO?
Scripts
LDAP or AD
Secure Tokens
Kerberos
54
By what different names is irreversible encryption known?
On-way encryption
One-way hashing
Hashing
55
The strength of a hash used for password storage primarily depends on what five factors?
```
Quality of algorithm
Key length (Hash length)
CPU cycles
Character set support
Password length
```
56
What is password cracking?
The process of trying to guess or determine plaintext passwords, given only encrypted passwords
57
What are the basic steps involved in cracking passwords?
```
Find a valid user ID
Find the encryption algorithm
Obtain the encrypted password
Create a list of possible passwords
Encrypt each password
See if there is a match
```
58
What are the four general attack methods for cracking passwords?
Dictionary Attack
Hybrid Attack
Brute Force Attack
Pre-computation Attack
59
What's are two common tools used to crack passwords?
John the Ripper
| Cain
60
How do computers store passwords?
As one-way cryptographic hashes
61
What three major design flaws in Windows NT and Windows 2000 allowed passwords to be cracked very quickly?
Breaking it into two seven-character words before applying the hash algorithm
Automatically converts all lowercase characters to uppercase
Does not use salts
62
What effect does a salt have on a password hash?
Ensures that two users with the same password will have a different ciphertext.
63
_____ is one of the best Windows password cracking programs on the market for what reasons?
Cain
Easy to use and nice GUI
Takes advantage of weak LAN Manager
Can crack passwords extremely quickly
Uses DLL injection to extract password hashes
Option to sniff a challenge/response dialogue
Circumvents MS SYSKEY protection mechanism
Free
64
What is a rainbow table?
Name given to the files that are produced by pre-computing password has values and storing the data in an optimized manner.
65
What techniques can be used to protect against password cracking?
```
Protect encrypted passowrds
Enforce a strong password policy
Use one-time passwords or multi-factor authentication
Disable LANMAN
Prevent pre-computation attacks (
```
66
What are three quantities typically associated with the reliability of a biometric mechnanism?
False Acceptance Rate (FAR)
False Reject Rate (FRR)
Cross Error Rate (CER)
67
What is Incident Handling?
The action or plan for dealing with intrusions, cyber-theft, denial of service attacks, malicious code, and other events
68
What is an Incident in the context of Incident Handling?
An adverse event in an information system, and/or network, or the threat of the occurrence of such an event
69
What is an event?
Any observable occurrence in a system and/or network.
| Something that happened in time that you either directly experienced or that you can demonstrate actually occurred.
70
What is the relationship of an event to an incident?
All incidents are composed of a series of events, but not all events are considered incidents
71
Which of the following would you consider an incident?
- Attackers exploiting Sendmail on a Unix system
- Attackers running a NetBIOS scan against a Unix system
- A missing backup tape that contains sensitive information
Yes to all three.
72
What are the six stages of Incident Handling?
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
73
What are some key items to consider during the preparation phase of the Incident Handling process?
1. Out of band communication
2. Notification of law enforcement officials
3. Contain and cleanup or observe
74
```
In which of the plans that encompass the Business Continuity Plan would Incident Handling be included?
Disaster Recovery
End-user Recovery
Contingency
Emergency Response
Crisis Management
```
Disaster Recovery
75
What is the goal of the contain stage of the Incident Handling process?
To stabilize the environment
Make a binary backup of the systems for analysis
Secure the area
Change passwords ASAP
76
List three of the most common backup access methods (backdoors)?
A process listening on a specific port and offereing shell access
Creating a new user account with high privileges
Scheduling jobs that periodically run programs that open new paths to access the system.
77
What is the key point to consider in the recovery phase of the Incident Handling process?
To ensure you are not restoring vulnerable code that has already proven itself to be exploitable or already compromised.
78
What are the two main options available when restoring a compromised system?
1. Installing the OS and apps from scratch
| 2. Restoring from a trusted backup and patching to fix the vulnerability
79
What are some key Incident Handling mistakes that are commonly made in organizations?
1. Failure to report an incident or ask for help
2. Incomplete or nonexistent notes
3. Mishandling or destroying evidence
4. Failure to create working backups
5. Failure to contain or eradicate the incident
6. Failure to prevent re-infection
7. Failure to apply lessons learned
80
What are the two dominant legal systems in the world?
1. Common Law System
| 2. Civil Law System
81
What is the common law system often referred to as?
Judge-made Law
82
What is the difference between common law system and civil law sytem?
Common law is based on precedence set by prior court rulings. Civil law is based on written rules and codes.
83
What is a "tort" with respect to Incident Handling?
A civil wrong
84
What forms and integral part of "Tort Law"
The Law of Negligence
85
What are the two main categories of law?
Criminal Law
| Civil Law
86
What is the burden of proof for criminal law?
Have to prove beyond a reasonable doubt that someone committed a crime.
87
Who is the victim in a criminal law case?
Society
88
What is chain of custody?
A concept in jurisprudence that applies to the handling of evidence and its integrity.
Refers to the document or paper trail showing the seizure, custody, control, storage, transfer, and analysis of physical and electronic evidence.
89
What algorithms are used for preserving computer-based evidence?
MD5
| SHA1
90
What is real evidence?
A tangible item such as the seized computer or USB thumbdrive
91
What is direct evidence?
Refers to evidence gathered from an eye witness or the person who watched or logged an incident as it occurred.
92
What are two key tenets of cyber security
1. Know thy system
| 2. Prevention is ideal but detection is a must
93
What are the three basic tool of information warfare?
1. perception management
2. Malicious code
3. Predictable response
94
At its hear, what has the focus for information warfare been over the past decade?
Economic
95
What is asymmetry with respect to information warfare?
When a fairly small investment or input has a very large affect.
96
Give an example of cycle time?
The decreasing amount of time between a vulnerability announcement, patch availability, and the release of a worm taking advantage of the vulnerability.
97
What is the basic model for assessing collected data?
Does the data indicate a stimulus or response?
Assess the targeting
Is there implied evidence of earlier successful reconnaissance?
Mechanically assess the trace
Make an estimate as to the purpose and severity
98
List the typical information warfare offensive players?
1. Insiders (Employees, Ex-Employees, Temps, Contractors)
2. Hackers
3. Criminals
4. Corporations
5. Governments
6. Terrorists
99
What is the overall goal of an information warfare attack?
To target an information resource and either make it more valuable to the offense or less valuable to the defense.
To cause harm to the target organization.
100
What is the mantra of the information operations worker?
We win; you lose, but perhaps not in zero-sum fashion
101
As a defender in an information warfare attack, what is one of our most important tools?
Defense-in-depth
102
Why is defense not dominant in information warfare?
```
Vast perimeter to defend (mobility)
Complex systems
Data portability (cloud computing)
Insiders whether malicious or just careless
Security is often an afterthought
```
103
What protocol do browsers and servers use to communicate over the Web?
HTTP - Hypertext Transfer Protocol
104
What are the two parts of an HTTP transaction?
Client request
| Server response
105
What are the most common HTTP methods
GET
PUT
POST
HEAD
106
What three components make up the first line of an HTTP request?
1. Name of the method
2. Resource being requested
3. HTTP Version
107
In addition component is required in the HTTP/1/1 protocol that is not required in the older HTTP/1.0 protocol?
Host header to specify at which domain the request is aimed. This allows a single web server on a single IP address to process requests for multiple domains.
108
HTTP status codes beginning with the number __ are error codes.
4
109
What are the three pieces that make up an HTTP request?
1. Request
2. Header lines
3. Body
110
What are the three pieces that make up an HTTP response?
1. Status line
2. Header lines
3. Body
111
What three fields are in the HTTP response status line?
1. HTTP Version
2. Status code
3. Description (free form text message)
112
What was the creator's main purpose in developing HTML?
Allow for standard formatting of document and to facilitate easy editing and uploading of Web-based documents for the purposes of collaboration
113
How is form data sent with the GET action?
It is appending to the URL query string.
114
How is form data sent with the PUT action?
It is sent within the HTTP headers
115
Is HTTP a stateless or stateful protocol?
Stateless
116
In web terms what is a cookie?
A named piece of data created by a Web server and stored at the Web broswer.
117
What do cookies most commonly keep track of?
User authentication
| Application session state
118
What are the two types of cookies?
Persistent - stored in text file
| Session (non-persistent) - stored in memory
119
List some rules cookies must follow?
1. must have been set by a Web server and can only be sent back to that same Web server
2. Web server must specify the contents of the cookie at the time it is created
3. Can't violate your privacy as they only contain info already know to the site.
120
What is the most significant concern with cookies?
They can be used to track you WEb usage.
121
What are the three roles of SSL
1. Encryption
2. Server identity verification
3. Data integrity
122
What is SSL?
Secure Socket Layers is a protocol that provides an encrypted tunnel between two SSL-aware applications.
123
What is negotiated during the handshake phase of an SSL connection?
The type and strength of encryption to use
124
What is presented to the client during SSL initialization allowing the user to verify the server's identity?
Public key certificate
125
What components should be included in an organization's development, testing, and deployment process to prevent the introduction of vulnerabilities?
1. security training for Developers
2. Peer Reviews
3. Formal testing
4. Performance testing
5. Configuration management and version control
6. Staging and deployment
126
What is an ASP?
Application Service Provider
127
What items should be on the audit checklist for ASPs?
1. How will they secure the applications
2. When was last audit? (each 6 month is ideal)
3. Review the patch mgmt history
4. Should allow vulnerability scanning
128
What is the best way to identify the security practices of an ASP?
By performing an audit every six months.
129
What are the two most commonly seen web authentication methods?
1. HTTP Authentication
| 2. HTML Form based Authentication
130
What are the two native HTTP authentication schemes?
1. Basic Authentication
| 2. Digest Authentication
131
What is a URL directory traversal attack?
A user exploiting vulnerabilities on a web server to gain access to restricted directories, execute commands, and view data outside of the directories meant to be published.
132
What is the most popular technique for tracking a user through multiple web requests?
The use of Session IDs.
133
Where are session IDs often stored?
1. Hidden form element
2. Cookies
3. URL query string
134
What are common examples of input attacks?
1. OS command injection
2. Buffer overflows
3. SQL Injection
4. Cross Site Scripting
135
What is the number one defense against most input attacks?
Validation of user input.
136
What is one of the most popular file integrity checkers?
Tripwire
137
What tool can perform SIEM correlations?
Splunk
138
What is the number one all-time champion Web hacking tool in the galaxy?
Your Web browser
139
What is the first thing you want to identify when monitoring the performance of your web application?
A baseline
140
What are the key performance indicators to track for security purposes while monitoring the performance of your web application?
1. Latency
| 2. Throughput
141
What are some specific attributes of latency and throughput that should be monitored?
1. Network connections
2. Page load times
3. Application login
4. Transaction times
