7 - Cyber Systems Flashcards

Question

Structured Threat

Answer 1

- **"CWO"** - **Focused attack** by individual(s) w/ **high skills** against **specific system** - Tend to be **motivated by specific cause** -- Money, politics, etc.

Answer 2

- Originate from individuals who **have/had authorized access** -- Disgruntled/opportunistic employee

Answer 3

- Originate **outside the organization**, often through the **internet**

Answer 4

- Developed by **MITRE** in 1999 -- Non-profit research and dev organization - **List of vulnerabilities**, each containing: -- ID number -- Description -- At least one public reference - ID format: CVE-YYYY-NNNN

Answer 5

- Launched by **NIST** in 2005 - **Vulnerability database** built upon and sychronized w/ CVE - Provides **Common Vulnerability Scoring System** (CVSS)

Answer 6

- Maintained by **Offensive Security** - **Archive** of exploits, shellcode, and security papers

Answer 7

- Main electronic circuit board **housing other sub-components** -- CPU -- Chipsets -- Bus -- System Clock -- Expansion Slots -- BIOS -- CMOS

Answer 8

- Brain of computer - Controls number of simultaneous tasks and task completion speed

Answer 9

- Circuitry responsible for managing specific hardware components

Answer 10

- Controls speed at which data is transferred between hardware components

Answer 11

- Synchronizes and controls timing of computer ops

Answer 12

- Small plastic slots used to install additional devices such as video or network cards - 1-6 in long x 1/2 in wide

Answer 13

- Translates processor requests into instructions - Executes POST

Answer 14

- Contains computer's inventory list and advanced setup options - Stores data read by BIOS

Answer 15

**2 Types** - Random Access Memory (RAM) -- **Volatile** -- **Temporary** data storage which may be **quickly accessed by CPU** - Read Only Memory (ROM) -- **Non-volatile** -- Stores programs the same way RAM does, but once the data is stored it **cannot be changed** (hence, read only) -- Stores **frequently used instructions and data**, often for things such as BIOS

Answer 16

- Stores changing data in relatively permanent form - Most popular drives today are SCSI, SAS, and SATA

Answer 17

- Significant impact on overall performance - Ex: -- Windows -- Red Hat -- Solaris

Answer 18

- Client-Server Model (Centralized Environment) - Peer-to-Peer Model (Decentralized Environment

Answer 19

- Smart **clients contact server for data**, then format/display it for user - Permanent changes at the client are committed back to the server

Answer 20

- **No special machines providing a service** or managing network resources - All **responsibilities divided** among all machines - Peers can be **both clients and servers**

Answer 21

- Confidentiality - Protect data from being accessed by unauthorized parties - Integrity - Ensure data authenticity - Availability - Ensure data accessibility for authorized users

Answer 22

- Policy Statement -- **Outlines a plan** for the user security component - Standards -- Defines **how to measure** the level of adherence to the policy - Guidelines -- **Recommendations or best practices** for how to meet the policy standard - Procedures -- **Step-by-step instructions** that detail how to implement the components of the policy

Answer 23

- Authentication -- Uniquely ID'ing a particular individual/entity - Authorization -- Determining what rights/privileges a particular entity has - Access Control -- Determining and assigning privileges to resources, data, etc. - Auditing or Accounting -- Tracking & recording system activities / resource access

Answer 24

- Eliminate as many security **risks** as possible -- Disable unnecessary services/accounts -- Protect management interfaces/apps -- Password protection

Answer 25

- **Ongoing, comprehensive process** or program that aims at managing an organization's vulnerabilities in a **holistic and continuous manner** -- Asset Management - **devices** -- Software Management - **software** -- Vulnerability Assessment - **continuous vuln scans/remediation** -- Patch Management - **obtaining, evaluating, testing, deploying new patches** -- Change Management - **approving/executing change to assure CIA**

Answer 26

- Describes **how individuals should use/maintain organization-issued hardware/software** - Includes both using equipment **safely** and in an **approved manner**

Answer 27

- **Investigating/researching all issues and options** relating to a particular subject - **Ensure security policies/practices are effective** - **Ensure no violation** of laws, statutes, or human rights

Answer 28

- Organization does not assume an individual is guilty w/o due process

Answer 29

Defines how an org will maintain normal day-to-day ops during disruption or crisis

Answer 30

- Defines how people and resources will be protected in the case of a natural or man-made disaster

Answer 31

- Reduces communication costs - Enhances communication and coordination - Accelerates the distribution of knowledge - Improves customer service and customer satisfaction

Answer 32

- Improved data sharing - Improved data security - Effective data integration - DBMS minimize data inconsistency - Better access to data - Increase in productivity of end user - Quick decision making

Answer 33

1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging and Monitoring

Answer 34

- **Untrusted data sent** to an interpreter as part of **command or query** - Tricks interpreter into **accessing data w/o proper authorization**

Answer 35

- Assuming another user's identity temporarily or permanently

Answer 36

- Lack of encryption for data at rest or in transit

Answer 37

- **Older** or **poorly configured XML** - Ability to **upload hostile XML content**, exploiting vulnerable code or dependencies

Answer 38

- Exploitation of access control - Failing to enforce authenticated user restrictions

Answer 39

- Exploiting Default configurations or unpatched flaws

Answer 40

- Insufficient input validation - Attacker able to add malicious content to a website; content executed on other victim's browser

Answer 41

- Existing data structures used but content changed - Serialization used for persistence/caching

Answer 42

- Using preconfigured client/server-side components - Not understsanding component patch state

Answer 43

- Not validating logging and monitoring capabilities

Answer 44

- Web Page - Web Content - Websites - Web Browser - Web Application - Browser Engine

Answer 45

- **Computer file** suitable for the world wide web / a web browser - Two types -- Static - Flat/stationary page -- Dynamic - Controlled by **Application Server** processing **server-side scripts** and **Client Web Browser** processing **client-side scripts**

Answer 46

- Textual, visual, or aural content that is encountered as part of the user experience

Answer 47

- **Collection of related** web pages - Common domain name - Published on at least one web server - Accessible by URL

Answer 48

- **Application** for accessing info on WWW - Retrieves web page and content by distinct URLs

Answer 49

- **Client-server program** which **client runs** in a **web browser** -- Ex: Webmail

Answer 50

- **Core software component** of every major web browser - Ex: -- Blink - Used in Chrome and Chromium -- EdgeHTML - Used in MS Edge and Universal Windows Platform -- WebKit - Used in Safari and Adobe AIR apps

Answer 51

- Recorded facts and figures - Characteristics -- Persistent - Remains unchanged until acted upon -- Integrated - Interacts and corresponds w/ other data -- Shared - Ability to be accessed/manipulated by multiple users

Answer 52

- **Collection** of meaningful information - **Organized** for searching and retrieving info

Answer 53

- **Logical layout** of the database

Answer 54

- **Set of programs/utilities** used to **create, process, and administer** a database

Answer 55

1. Data - Known facts and implicit meaning 2. Hardware - Equipment needed to maintain DB 3. Users - Individuals **manipulating/maintaining** the DB 4. Software - DBMS and programs supporting it

Answer 56

- Modern system for **annotating a document** in a way **syntactically distinguishable from text** - Three general categories -- Presentational -- Procedural -- Descriptive - Most Common Languages -- HTML -- XHTML -- XML

Answer 57

- Form of **separation of presentation and content** for web design - Defines visual layout/style - Example Languages -- CSS -- Extensible Stylesheet Language (XSLT)

Answer 58

- Computer programs on the web executed **client side** instead of server side - Used to **turn static content into dynamic content** - Ex -- AJAX -- DOM -- ActionScript -- JavaScript -- VBScript

Answer 59

- Executed by **web server** when user requests a document - Ex -- ASP/ASP.NET -- ColdFusion -- JSP -- Perl -- PHP -- Python -- Ruby

Answer 60

- Retrieve data from database - Often embedded in server side scripts - Ex -- MS-SQL -- MySQL -- Oracle -- PostgrSQL -- Derby -- MongoDB -- SQLite

Answer 61

- **Only One** large table - Contains records w/ **no structured relationships** - Ex -- Tables found in MS Excel and Apple Numbers

Answer 62

- **Numerous tables** containing rows and columns of data - Tables **relate** to one another through **shared data values** - Ex -- Two separate tables of data (Pay Records and Course Grades) linked by SSN (used to find and retrieve data from both)

Answer 63

- Entity (Table Name) -- Refers to storing info about an object -- Data on members associated w/ a "CPT" -- "CPT" would be the entity/table name - Attribute (Column Name) -- Characteristic or property of the entity that will be stored

Answer 64

- **Derive security reqs** from industry standards, applicable laws, and vulnerability history

Answer 65

- **Guard against security-related design and implementation flaws** by covering for lack of sufficient developer knowledge/time/budget

Answer 66

- Secure access to all data stores - Consider securing queries, configuration, authentication, and communication

Answer 67

- Defensive techniques meant to stop injection attacks

Answer 68

- Programming technique - Ensures only **properly formatted data** may enter a software system

Answer 69

- Using Authentication and Session Management

Answer 70

- **Granting or denying specific requests** from a user, program, or process

Answer 71

- Protect sensitive data (passwords, health records, etc.)

Answer 72

- Log security and app - Monitor security and app logs

Answer 73

- Allowing an application to **respond to errors correctly** - Critical to making code reliable and secure

Answer 74

- **Provides 24/7/365 awareness, management, and control** of the AF domain - Ensures **unfettered access, mission assurance, and joint warfighter use** of networks and info processing systems to accomplish worldwide ops - Provides **operational level C2 and SA** of AF cyberspace forces, networks, and mission systems

Answer 75

- Provides **24/7/365 NetOps and Management functions** - **Enables enterprise services** within AF unclassified and classified networks - **Supports DCO** within those AF networks

Answer 76

- Manages **top-level boundary** and **entry point** into the AFIN - **Controls** flow of all **external and inter-base traffic** - **16 gateways** - Consists of two Integrated Management Suites (IMS)

Answer 77

- **Prevents, detects, responds to, and provides forensics** of intrusions into unclassified and classified AF networks

Answer 78

- **Monitors, collects, analyzes, and reports on sensitive info released** from friendly unclassified systems

Answer 79

- **Executes vulnerability, compliance, pen-testing, and hunter missions** on AF and DoD networks/systems - Hunter ops characterize and then eliminate threats for the purpose of mission assurance - Performs **defensive sorties** world-wide via **remote or on-site** access

Answer 80

- The primary path or method used by the adversary to cause an incident or event to occur

Answer 81

- Accessible information used to **characterize systems, apps, networks, and users** - Sub Categories -- Information Gathering and Data Mining - Gather **publicly available** information -- Network Scan - Targeting **multiple IP** addresses (horizontal scan) -- System Scan - Target **single IP** address across **range of ports** (vertical scan)

Answer 82

- User w/authorized access **took specific actions that resulted in jeopardizing systems or data** - Sub Categories -- Purposeful - Authorized user **knowingly** took specific actions -- Accidental - Authorized user took actions that had **consequences over and above the intentions**

Answer 83

- **Human interaction** (social skills) or **deception used to gain access** - Sub Categories -- E-mail - Used to **deliver malicious payload/gain access** -- Website - Used to **deliver malicious payload/gain access** -- Other - **Target deceived or manipulated** in a way **other than email/website**

Answer 84

- Compromise resulting from **inadequate or improper config** of a system - Sub Categories -- Network - Improperly/inadequately configured **network system/service** -- OS - **OS** improperly/inadequately configured -- App - **App** improperly/inadequately conifgured

Answer 85

- **Vulnerability in the software** that allows for **unauthorized use of or access** to a system - Sub Categories -- Exploited new vulnerability - Vuln **unknown prior to event** or **w/o mechanism to prevent** it -- Exploited known vulnerability - vuln **known prior to event** and w/ a **mechanism to prevent** it

Answer 86

- Compromise **resulting from** the **implicit or explicit trust relationship** between security domains - Sub Categories -- Other IS compromise - Compromise resulting from **access previously gained by another system** -- Masquerading - Compromise resulting from the **unauthorized use of valid credentials**

Answer 87

- **Consumption of system resources** that **prevent legitimate users from accessing** resources - Sub Categories -- Non-Distributed Network Activity - Activity **from single IP** that overwhelms system -- Distributed Network Activity - Activity **from multiple IP** that overwhelms system

Answer 88

- **Unauthorized physical access** to resources - Sub Categories -- Mishandled or Lost Resource - Equipment was **lost, stolen, or left accessible** to unauthorized parties -- Local Access to System - Unauthorized user **provided local physical access** to a DoD information network resource -- Abuse of Resources - **Physical destruction** of an information resource by an unauthorized party

Answer 89

- Delivery vector not covered by other methods

Answer 90

- Delivery vector could not be determined w/ info available

Answer 91

**Operated By** - JBSA-Lackland -- 616th Ops Center (AD) -- 854th Combat Ops Sq (R) - McGhee Tyson -- 119 COS (R) **Sub Components** - Situational Awareness -- Produce a **cyber operational picture** - ISR -- Enable **integration of** cyberspace actionable **intel products** into other sub-components - Planning -- Leverage SA to **develop long and short term plans** to execute OCO, DCO, and DoDIN ops - Execution -- Ability to leverage plans to **generate and track Cyber Tasking Orders** (CTO) - Integration -- Provides ability to **integrate AF-generated cyber effects** w/ other C2 nodes

Answer 92

**Operated By** - Joint Base Langley-Eustis -- 83 NOS (AD) -- 860 NOS (R) - Peterson -- 561 NOS (AD) -- 960 NOS (R) - Pearl Harbor-Hickam -- 690 COS (AD) - Ramstein -- 691 COS (AD) - McConnell -- 299 NOS (R) **Sub Components** - DoDIN Ops and Management -- Activities designed to **maintain and protect base-level operational networks** - Enterprise Services -- Provides **network application hosting and storage management** w/in AF networks

Answer 93

**Operated By** - Gunter Annex -- 26 NOS (AD) **Sub Components** - Defense-in-Depth -- Delivers an **enterprise-wide layered approach** by integrating the gateway and boundary devices - Situational Awareness -- Delivers **network data flow, traffic patterns, utilization rates, and in-depth research** of historical traffic for anomaly resolution - Proactive Defense -- Conducts **continuous monitoring** of AF network traffic - Network Standardization -- Creates and maintains **standards and policies**

Answer 94

**Operated By** - JBSA-Lackland -- 33 NWS (AD) -- 426 NWS (R) - Quonset ANGB -- 102 NWS (R) **Sub Discipline Areas** - Incident Prevention -- **Protecting** against malware by **assessing/mitigating known vulnerabilities** - Incident Detection -- **Monitoring** classified/unclassified AF **networks** - Incident Response -- **Determines extent of intrusions** and **develops COAs to mitigate** the threat - Computer Forensics -- **Conducting in-depth analysis** to **determine threats** from ID'd incidents

Answer 95

**Operated By** - JBSA-Lackland -- 68 NWS (AD) - Offutt -- 860 NWF (AD) -- 960 NWF (R) **Sub Discipline Areas** - Telephony -- Monitor & assess **unclassified voice networks** - Radio Frequency -- Monitor and assess **various frequency bands** - Email -- Monitor and assess **email traffic w/in AFNet** - Internet Based Capabilities -- Monitor and assess info that **originated w/in AFNet** that is **posted to publicly accessible websites** - Cyberspace Op Risk Assessment -- Assess data **compromised through AFNet intrusion** and **determine Ops impact** - Web Risk Assessment -- Assess info **posted on unclassified AF**-owned, leased, or operated public and private **websites**

Answer 96

**Operated By** - 6 AD Units -- JBSA-Lackland -- Scott - 12 ANG Units - 1 Reserve Unit -- Scott **Sub Components** - Mobile Interceptor Platform (MIP) -- Laptop - Deployable Interceptor Platform (DIP) -- 2 servers and 5 network sensors used for remote ops - Garrison Interceptor Platform (GIP) -- Security ops floor for remote ops - Information Ops Platform (IOP) Flyaway Kit -- Boundary defense device placed in-line w/ network traffic

Answer 97

- Enclave -- **Collection of computing environments** (including personnel and physical security) connected by one or more **internal networks** -- Under control of **single authority** -- Ex: NIPR, SIPR

Answer 98

- **Private IP** network - **Unclassified** - Provides access to **internet, email, file storage, etc** - Comprised of **routers and nodes** owned by the DoD - **Largest private network** in the world - Part of Defense Information System Network (DISN)

Answer 99

- **SECRET private IP** network - Provides access to DoD's **classified intranet services** - Utilized outside the military -- Ex: Department of State

Answer 100

- Objective -- **Collect relevant data**/information in/on the AO - Tasks -- Collect/monitor **network infrastructure** -- Collect/monitor network **user characteristics/trends** -- Collect/monitor **data from individual systems**

Answer 101

- Objective -- **Collect relevant data/information on threats** in the AO - Tasks -- **Find and track** specified enemies, adversaries, and threats -- **Understand and characterize** specified enemies, adversaries, and threats

Answer 102

- Objective -- **Provide sufficient access** for supported cyber forces - Tasks -- **Configure firewall** rules/policies -- **Routing config** changes -- Provision/**configure accounts** -- **Configuring permissions**

Answer 103

- Objective -- **Damage or destroy** an objective or capability - Tasks -- **Destroying resident adversary/malicious code** or other assigned artifacts -- **Quarantining malicious code** and/or **preventing code execution** -- Manipulating, denying, degrading, or disrupting **adversary network traffic**

Answer 104

- Objective -- **Provide defensive support** to cyber weapon systems or mission partners conducting primary missions in the AO - Tasks -- **Deploy countermeasures** -- **Ensure** all required forces have the **necessary level of access** to assigned AO during mission vulnerability window

Answer 105

- Objective -- **Conduct strike coordination and reconnaissance** in **response** to adversary activity w/in the AO - Tasks -- **Patrolling** the AO, or a portion of the AO -- **Conduct or support strike and/or** follow-on Intelligence Preparation of the Environment (**IPOE**) missions

Answer 106

- Objective -- **Enhance the Defenses** of the assigned AO in response to **active threats** - Tasks -- **Enhance defense** of cyber key terrain -- **Reconfigure network appliances** to a more secure config in response to **active threats**

Answer 107

- Objective -- **Replicate realistic TTP** of **specific cyber threats** to evaluate cyber defenses - Tasks -- **Emulate** known **adversary TTP** -- Identify **unmitigated vulnerabilities** -- **Assesses defensive posture** and processes

Answer 108

- **Worldwide collection** of **interconnected public telephone networks** - **Circuit-switching** to allow users to make **landline** telephone calls

Answer 109

- Able to **deliver voice communications/multimedia** over the **internet** - **Packet-switched** network to allow users to make calls

Answer 110

- **World-wide** non-secure voice, secure voice, data, facsimile, and video teleconferencing services for **DoD C2 elements** - Assures **non-blocking service** for users w/ flash and flash override precedence capabilities

Answer 111

- Communication network w/ last link being wireless - Able to connect to PSTN and Internet

Answer 112

- PSTN vulnerability - **Reverse engineering** the system of tones used to route long-distance calls - **Recreate tones** to route **free calls**

Answer 113

- PSTN Vulnerability - Technique to **automatically scan a list of telephone numbers** - Usually dialing every number in a local area code to **search for modems**

Answer 114

- PSTN Vulnerability - Overlooked **"backdoor" through a PSTN** into **another IT network** - Used by admins to **remote into Control System** equipment

Answer 115

- VoIP Vulnerability - **Rogue device** registers as Registration Server by **impersonating a valid user**

Answer 116

- VoIP Vulnerability - Enumeration -- Means to **ID SIP systems** - Fuzzing -- Type of DoS attack used to **send malformed data packets to crash** the SIP system - Man-in-the-Middle -- Attacker **intercepts** SIP call-signaling traffic -- Attacker **masquerades** as both calling and called parties -- **Hijacks** calls via redirection server

Answer 117

- Cellular Network Vulnerability - Attack ID's bug in **Base Transceiver Station** software services - Attacker **exploits vulnerability and takes over** the tower transceiver

Answer 118

- Cellular Network Vulnerability - Incorrect **system permission settings** granting great access to other areas of the device - **Exposed internal communication protocols** that pass messages internally within the device to itself or other apps

Answer 119

- Class 4 (Toll Office) -- Connects to multiple Class 5 offices -- Connects to other Class 4 offices and Class 1 (Regional Center) office - Class 5 (End Office) -- **ONLY** office that **connects to individual or business** subscribers -- Connects to other Class 5 offices and Class 4 office - Local Loop ("Last Mile") -- Physical connection between a carrier's Class 5 and the subscribers' premises - Private Branch Exchange (PBX) -- Telephone exchange typically owned by the customer -- Calls made within PBX are at no cost

Answer 120

- IP Phone/Software (Skype, etc.) -- Uses VoIP tech allowing telephone calls to be made over an IP network - Registration Server -- Entity that **receives registrations** from a **UAC** -- **Extracts info** about current location and stores it (IP address, port, username) - Proxy Server -- **Forwards requests** on behalf of the endpoint by consulting the registrar -- Handles **Session Initiation Protocol** (SIP) requests for the User Agent - Redirect Server -- Accepts a request, maps the address, and returns to the client -- **DOES NOT** pass the request on to other servers - Call Manager -- Provides **consolidated services** -- **Sets up and monitors** calls, **maintains** the dial plan, **performs** phone number translations - Media Gateway -- **Interfacing IP network** based voice communications w/ traditional circuit-switched network

Answer 121

- DSN Backbone Switches -- **Route calls** to other nodal switches -- Multifunction switch, similar to PSTN Class 4 and 5 combined - Installation Switches -- Switches at bases, posts, camps, and stations - End Office (EO) -- **Primary Switch** for **long distance services** for either an installation or group of installations in a **geographic area** - Small End Office (SMEO) -- Switch that serves as primary switch -- Used at **smaller DoD installations** -- Will **not** serve installations with **critical missions** - Private Branch Exchange (PBX) -- PBX-1 - Switches w/ MLPP capabilities -- PBX-2 - Switches **without** MLPP capabilities - Remote Switch Unit (RSU) -- **Switching capability** that is **connected to a host** as a remote -- **Dependent upon the host switch** for software control

Answer 122

- Base Transceiver Station (BTS) -- Considered the "Radio Tower" with "RF" - Base Station Controller (BSC) -- Controls one or more BTS -- Think of as a **cell** - Base station System (BSS) -- Acts like a PTSN Local Loop for Cell Networks -- Combines the BTS and BSC - Mobile Switching Center (MSC) -- Connects to a Base Station Controller -- Acts like a PTSN Class 5 but for Cell Networks - Mobile Telephone Switching Office (MTSO) -- Considered the PTSN Central Office equivalent -- Each carrier in each city runs one office

Answer 123

- Local Access and Transport (LATA) -- Represents an area within which a **divested Regional Bell Operating Company** (RBOC) -- Permitted to **offer exchange telecommunications** and exchange access services - North American Numbering Plan (NANP) -- System used to **direct telephone calls** to a **particular region** -- Provides telephone **numbering scheme** ---- Three-digit area code ---- Seven-digit telephone number

Answer 124

- Session Initiation Protocol (SIP) -- Call set up (INVITE) and terminate/transfer (BYE) -- Two types of messages (request and response) -- Port 5060 -- Similar to TCP three-way handshake, but more steps - Realtime Transport Protocol (RTP) -- Media protocol -- Describes the packet format for the actual data

Answer 125

- GSM (Global System for Mobile Communication) -- World standard -- Subscriber ID Module (SIM) cards used for different providers in different countries - TDMA (Time Division Multiplexing) -- American Standard -- Assigns each call a certain portion of time on a designated frequency - CDMA (Code Division Multiple Access) -- American Standard -- Gives a unique code to each call and spreads it over available frequencies - Network Data Technologies -- 1G -- 2G -- 3G -- 4G (Long Term Evolution, LTE) -- 5G

Answer 126

- Physical Security - Network Security

Answer 127

- Physical Security - Layer-2 Network Segregation - Layer-3 IP Segregation **Encryption** - Voice over Secure IP (VoSIP) -- Unencrypted voice over encrypted network - Secure VoIP -- Encrypted voice over non-secure network - Secure Voice over Secure IP (SVoSIP) - Encrypted voice over Encrypted network

Answer 128

- Physical Security - Mobile Device -- Patch Management -- Treat it like a computer -- Encryption -- Two-factor auth ---- Preferably not SMS due to ease of spoofing

Answer 129

- Computerized system that is capable of **gathering and processing** data and **applying operational controls** over long distances - Used to control **dispersed assets** - Designed to **collect field information**, transfer it to central computer facility, and display to operator - Allows operator to monitor or control an entire system

Answer 130

- Control achieved by intelligence that is distributed about the process to be controlled - Used to **control production systems** within the same geographic location -- Usually process control or discrete part control systems

Answer 131

**Manufacturing Industries** - Process-based -- Continuous manufacturing process ---- **Runs continuously**, often w/ transitions for different product grades -- Batch Manufacturing Process ---- **Distinct processing steps** - Discrete-based -- **Series of steps** on a single device to create an end product - Manufacturing systems usually located w/in **confined area** -- LAN **Distribution Industries** - Used to control geographically dispersed assets -- Water distribution, gas pipelines, etc. - Distribution systems spread over **large area** -- WAN, wireless, RF

Answer 132

- System of Systems -- **multiple, independent systems** combined to form larger more complex system - **Interconnected** and **mutually dependent** in complex ways -- Both physically and through info/comms - Cascading failure in electric power grid

Answer 133

**Control Loops** - Utilizes **sensors, actuators, and controllers** to manipulate some controlled process -- Sensors **measure a physical property** -- Controllers **interpret the signal** and **generate corresponding variables** -- Actuators (valves, switches, motors, etc.) **directly manipulate** the controlled process **Human-Machine Interface (HMI)** - **Used by operators/engineers** to **monitor/configure** elements of controllers/actuators - **Displays process status** info and historical info **Remote Diagnostics** - Used to **prevent, ID, and recover** from abnormal operation/failure

Answer 134

- Control timing Requirements -- Wide range of time-related reqs -- Human reliability/consistency vs automated controllers -- Computation proximity to sensor (as close as possible) - Geographic Distribution -- Varying degrees of distribution -- Small local process control vs wide area/mobile comms - Hierarchy -- Provides human operators w/ comprehensive view - Control Complexity -- Reliance on controllers and preset algorithms -- Higher complexity requires human operators (such as ATC) - Availability -- High up-time reqs = more redundancy - Impact of failures -- What's affected if system fails -- Higher impacts require continued ops through redundancy/degraded state ops - Safety -- Systems need ability to detect unsafe conditions -- Human oversight in safety critical ops

Answer 135

- Control Center - Comm Equipment - Remote Terminal Units (RTUs) - Programmable Logic Controllers (PLC)

Answer 136

- **Primary controller** in smaller control system configs, used to control discrete processes -- Ex: automobile assembly lines - Generally **lack a central control server/HMI** -- **closed-loop control** w/o human involvement

Answer 137

- ICS control physical world - IT systems manage data - Different risks/priorities - Different performance/reliability reqs - ICS may use OSs and apps that may be unconventional in typical IT network

Answer 138

- One of the **most effective architectural concepts** to protect ICS - Determine **critical parts** of network that **need segregation** - Goal is to **minimize access** to sensitive info - **No** system should be **dual-NIC'd** - Methods -- Logical Network Separation (**minimum separation**) (VLANs, VPNs, unidirectional gateways) -- Physical Network Separation -- Network Traffic Filtering (IP/route, ports, protocols, applications, etc.)

Answer 139

- Transfer of info between domains = Risk - Boundary devices are key to enforcement of security policies - Can be used to isolate ICS and enterprise components -- Limits unauthorized info flow - Includes -- Gateways, routers, firewalls, IDS, etc.

Answer 140

- Control flow of traffic between networks - Typically deployed between ICS and enterprise networks - All connections between networks should go through firewall - Special considerations: -- Possible addition of delay to ICS comms -- Lack of experience in the design of rule sets for ICS

Answer 141

- Single security product can't do it all - Utilize **overlapping security mechanisms** -- Firewall, DMZ, IDS, etc -- Policies, training, incident response, physical security - Requires a **thorough understanding** of adversary tactics

Answer 142

- Deny all except for traffic absolutely required -- Difficult to implement in reality -- Basic premise - Best Practices (examples) -- Base rule set - deny all, permit none -- All "permit" rules should be address and port specific -- All rules should restrict traffic to specific IP or range

Answer 143

- Disallow DNS requests - Disallow HTTP from public/corporate to the control network - Block TFTP, allow FTP for outbound sessions only - Use SSH over Telnet

Answer 144

- Data Historians - Remote Support Access - Multicast Traffic - Unidirectional Gateways - Single Points of Failure - Redundancy and Fault Tolerance - Preventing Man-in-the-Middle Attacks - Authentication and Authorization - Monitoring, Logging, and Auditing - Incident Detection, Response, and System Recovery

Answer 145

- Introduced because of incomplete, inappropriate, or nonexistent security policy - Ex: -- Inadequate security policy for ICS -- No formal ICS security training/awareness program -- Lack of redundancy for critical components

Answer 146

- Can occur in hardware, firmware, and software - Can occur in large complex systems and networks - Sources: -- Design Flaws -- Development Flaws -- Misconfigurations -- Poor Maintenance -- Poor Administration -- Connections w/ other systems and networks

Answer 147

- Architecture and Design -- Insecure architecture allowed to evolve; no security perimeter defined - Configuration and Maintenance -- Inadequate testing of security changes, data unprotected - Physical -- Unauthorized personnel have physical access - Software Development -- Improper Data Validation - Comm and Network Config -- Firewalls nonexistent or improperly configured

Answer 148

- Denial of Control Action - Control Devices Reprogrammed - Spoofed System Status Info - Control Logic Manipulation - Safety Systems Modified - Malware on Control Systems

Answer 149

- Adversarial Events -- Worcester Air Traffic Communications -- Stuxnet Worm - Structural Events -- CSX Train Signaling System -- Browns Ferry-3 PLC Failure - Environmental Events -- Fukushima Daiichi Nuclear Disaster - Accidental Events -- Vulnerability Scanner Incidents -- Penetration Testing Incident

7 - Cyber Systems Flashcards

(173 cards)